In a local authority, everyone works with the same domain name :
@ville-X.fr, @departement-Y.fr, @metropole-Z.fr...
Employees, departments, schools, municipal police, CCAS, culture, sport, elected representatives, external service providers...
Result: hundreds, sometimes thousands of accounts based on the same servers, the same portals, the same systems.
For a striker, it's a golden opportunity:
- a single area to target,
- tons of identifiers to recover,
- and very often many leaks already on the dark web.
Cyber Threat Intelligence (CTI) is here to do just that. put some light in there and do some real “housekeeping” on the show side.
1. Why do communities leak so much onto the dark web?
In spite of themselves, local authorities ideal profile for cybercriminals.
They have many agents (and therefore many accounts), passwords that are often reused between internal tools and external services, accounts that remain active even though people have changed jobs or left the local authority, not to mention the many trade portals displayed on the Internet (citizens, agents, schools, social, etc.).
Over time, all this leaves its mark on the dark web. There you can see :
-
lists of local authority e-mail addresses and their associated passwords,
-
identifiers for internal or partner portals,
-
sometimes even technical access (VPN, RDP, administration consoles, etc.).
What's most worrying is that this situation remains totally invisible to the public The system continues to run, agents work as normal... even though compromised accesses are circulating and can be exploited at any time.
2. Why these leaks are so dangerous for a community
These escaped identifiers allow :
- to enter citizen portals (online procedures, school enrolment, extracurricular services...),
- access internal administration interfaces,
- reach more sensitive departments (municipal police, social services, town planning, etc.),
- and bounce back from one department to another, or even from the web to the internal IS.
Not all leaks are created equal, but some are clearly explosive. This is the case, for example, for agent accounts giving access to social, school or administrative data, accounts linked to sensitive services (municipal police, finance, town planning, etc.) or even for technical access which can bounce to other internal servers.
The same email/password pair can be used to log on to a citizen portal, a business extranet, and then, through a chain of accesses, to obtain higher rights in the information system. For an attacker, this is a ideal entry point to prepare a ransomware attack, conduct targeted fraud, siphon off sensitive data or simply resell this access to other criminal groups.
At Phishia, we have developed a criticality indicator which enables each leak to be classified and prioritized, so that efforts can be concentrated where the risk is really greatest.
3. What CTI brings to local authorities
CTI, applied to local authorities, consists of monitoring, analysing and processing everything that circulates about them. outside their own systems.
-
At last, a clear view of the exhibition
Instead of a worrying blur of «there must be leaks somewhere...», CTI lets you know how many identifiers linked to the community's domain are in circulation, What types of accounts are concerned, what services or portals are mentioned and what accesses seem to be still active. -
Distinguishing noise from real risk
Good ITC doesn't just list leaks: it qualifies what is out-of-date or already invalid (low priority), what is still exploitable (high priority) and what can potentially open up access to sensitive data or enable an internal rebound (critical priority). -
Transforming information into safety actions
Based on this information, the local authority can reset or deactivate exposed accounts, reinforce the security of the portals concerned (strong authentication, filtering, restrictions), adjust its detection rules (SIEM, EDR, firewall) and raise awareness among the most exposed agents.
With this approach, we go from «we suffer» at «on pilot».
4. CTI flash audit: cleaning up the dark web
For communities that have never really looked at what's circulating about them, a CTI flash audit is an excellent entry point.
The idea is simple: by a few weeks, Get a clear picture of the situation, deal with the emergency and lay the foundations for what's to come.
A CTI flash audit allows you to define the monitoring perimeter : local authority domain names, critical portals and services, sensitive profiles (elected representatives, departments, key functions).
It will then identify existing leaks These include: circulating logins (e-mail + password), mentions of local authority services or applications, and access or data offered for sale.
Thirdly, the audit tests and qualifies leaks These include checking what is still valid within a controlled framework, measuring the potential impact (accessible data, rebound possibilities), and classifying cases by level of criticality.
On this basis, it proposes a concrete remediation plan These include accounts to be reset or blocked, hardening of exposed portals, and measures to limit the recurrence of new leaks (awareness-raising, password policies, MFA, etc.).
Finally, the audit concludes with a usable report, We provide a summary of the current situation for decision-makers, precise technical information for the IT department and a clear prioritization of actions.
Clearly, after a flash audit, the community knows what goes around, what's dangerous, and what has been neutralized or needs to be neutralized quickly.
5. Phishia's role in this process
