Cyber Incident Victim: Switzerland
Date:
Apr 2023
Location:
Switzerland
Summary
A Vaud-based IT services provider suffered a cyberattack that forced it to take all client systems offline for three days, impacting municipalities, SMEs, automotive businesses, and industrial service providers. The company detected unauthorized access, initiated immediate system isolation, and restored operations after continuous technical efforts, asserting no data exfiltration occurred despite client concerns about potential darknet exposure. Authorities were notified, though no formal complaint was filed, and limited details emerged about threat actor communications. Separately, another regional IT provider experienced a related incident involving data encryption for clients including a healthcare facility, though forensic analysis indicated no data leakage, with systems restored after prolonged disruption. Both attacks highlighted operational vulnerabilities for dependent organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 18, 2023, Swiss IT firm Infolog, based in Saint-Sulpice, Vaud, suffered a cyberattack that disrupted operations for three days. The attack occurred during the night of Monday to Tuesday and was detected by Infolog staff on Tuesday morning. Upon discovery, the company immediately disconnected all client systems to contain the incident. Infolog's technicians worked continuously until Thursday evening to restore services. The company provides IT services to municipalities, SMEs, automotive industry clients including the Leuba garage chain, and industrial service providers, all of whom experienced operational disruptions. A customer of a Mercedes dealership within the Leuba network discovered the incident when attempting to schedule an online appointment, noticing irregularities in the system before being informed of the cyberattack during a follow-up phone call. Infolog asserted no data exfiltration occurred, stating definitively that hackers extracted no information from their systems. The company reported the incident to Vaud cantonal police and federal authorities, though police confirmed no formal complaint had been filed at the time of reporting. While Infolog acknowledged contact occurred between their staff and the attackers, they declined to specify whether ransom demands were made or negotiated. The company emphasized their technical expertise and secure system backups enabled relatively swift recovery, contrasting this with potential catastrophic impacts on less-prepared SMEs facing similar incidents.
This incident followed another cyberattack on March 27, 2023, targeting a different Swiss IT service provider whose clients included a Lausanne-based nursing home (EMS). In that case, attackers encrypted client data systems. The EMS director expressed initial concerns about potential darknet data leaks but cited audit results confirming no data exfiltration occurred, suggesting the attackers' primary objective was system disruption rather than data theft. Full operational restoration for the EMS required nearly two weeks, with systems returning to normal at the start of the week following April 18. The director acknowledged awareness of a ransom demand but had no confirmation whether their IT provider paid it or independently decrypted the systems. Both attacks demonstrated secondary impacts on downstream clients, with critical service providers becoming disruption vectors. Neither incident yielded confirmed data breaches despite initial client concerns, though both caused multi-day operational paralysis across municipal, commercial, and healthcare sectors.