Cyber Incident Victim: Canton of Vaud
Date:
Mar 2023
Location:
Switzerland
Summary
A ransomware attack targeted an IT service provider, leading to the encryption of client data including systems of a Lausanne-based EMS. The incident caused significant operational disruptions, with services only restored several days later following intensive recovery efforts. While the attackers demanded a ransom, it remains unclear whether payment was made or if systems were restored independently. An audit conducted by specialists indicated no evidence of data exfiltration, suggesting the primary aim was system paralysis rather than data theft. The organization highlighted potential catastrophic impacts for smaller businesses facing similar incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 27, 2023, a cyberattack targeted an unnamed IT services provider supporting clients in the Lausanne region, including a local elderly care facility (EMS). Attackers encrypted client data systems, causing operational paralysis. The EMS director confirmed the incident disabled their systems, with recovery efforts extending into the following week. Forensic audits determined no data exfiltration occurred, indicating the attackers' primary objective was disruption rather than theft. A ransom demand was issued during the incident, though the provider's resolution method—whether payment or independent system restoration—remained unconfirmed by the EMS. This attack preceded a separate but similar incident involving Vaud-based IT firm Infolog, which suffered a breach between March 27-28, 2023, though the two events are not explicitly linked in available reporting.
Infolog detected unauthorized system access on Tuesday, March 28, 2023, prompting immediate shutdown of all client systems—including municipalities, SMEs, automotive dealerships like Leuba Mercedes, and industrial service providers. Technical teams worked continuously for three days to restore operations, completing recovery by Thursday, March 30. The company maintained no data exfiltration occurred, citing secured backups as critical to restoration. A client of affected Mercedes dealership Leuba reported unexplained website irregularities prior to learning of the attack, expressing concerns about potential personal data exposure despite Infolog's assurances. Vaud police confirmed no formal complaint was filed, though Infolog reported contacting cantonal and federal authorities. Limited details emerged regarding attacker communications, with an Infolog employee acknowledging unspecified contact with hackers but providing no confirmation of ransom demands or payments. The company emphasized the disproportionate impact such attacks could have on smaller businesses lacking equivalent technical recovery capacity.