Cyber Threat Actor: NSHC

NSHC is a threatactor that has been identified by the alias NSHC and is associated with a Russian location based on available reporting. The group first came to public attention in March 2016 when it claimed responsibility for a breach of the database of Switzerland’s largest political party, the Swiss People’s Party, asserting that it had obtained the names and email addresses of more than 50,000 party supporters. In the same timeframe NSHC also claimed to have carried out distributed denial‑of‑service attacks against several Swiss online retailers and to have disrupted the Swiss Federal Railways website, making it inaccessible for roughly an hour on a Monday afternoon and for about one and a half hours that evening. The actors stated that their motivation was to raise awareness of what they perceived as Switzerland’s inadequate defenses against cyber attacks, framing their actions as a demonstration of vulnerability rather than a pursuit of financial gain or espionage.

The observed tactics, techniques and procedures of NSHC include unauthorized access to a political party’s database to exfiltrate personal data and the execution of volumetric DDoS campaigns targeting commercial and transportation‑related online services. No specific malware families, exploit kits, or initial‑access vectors are described in the source material; the reporting focuses solely on the outcomes of the data theft and the service‑disruption effects of the DDoS activity. The Swiss government’s Reporting and Analysis Center for Information Assurance (MELANI) indicated that it had no prior knowledge of the NSHC group before these incidents, and a senior Swiss information‑safety official publicly stated that there was no connection between the party breach, the retail DDoS attacks, and a separate compromise of at least 6,000 Swiss email account passwords that occurred around the same period.

Attribution to NSHC remains limited to the alias and the geographic association with Russia; no public evidence links the group to a state sponsor, a criminal consortium, or any broader affiliate network. The March 2016 operation against the Swiss People’s Party, accompanied by the DDoS disruptions to online shops and the national railway site, represents the most clearly documented campaign attributed to NSHC in the open‑source record. While unrelated credential leaks were noted by Swiss authorities, officials explicitly denied any linkage between those events and the NSHC‑claimed activities, leaving the group’s known footprint confined to the described Swiss‑based incidents.