Cyber Incident Victim: Cistec
Date:
Feb 2025
Location:
Switzerland
Summary
A Swiss software provider specializing in clinical information systems experienced a ransomware attack targeting its internal infrastructure, specifically Active Directory-linked services like Exchange. The company immediately shut down all systems to contain the breach and engaged cybersecurity specialists, while notifying relevant authorities including law enforcement and data protection agencies. According to analyses by external experts and government entities, no customer systems or patient data—which the firm confirmed were not stored on its compromised infrastructure—were affected. The organization is rebuilding its internal systems in a new secure environment. Separately, prior assessments of the provider's software had identified a critical vulnerability requiring internal network privileges, which was subsequently patched.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 12, 2025, Swiss software provider Cistec suffered a ransomware attack targeting its internal infrastructure during overnight operations. The company confirmed the incident after detecting unauthorized access to Active Directory-integrated services, including Microsoft Exchange. To contain the threat, Cistec immediately powered down all systems to prevent lateral movement across its network. The organization engaged external cybersecurity specialists to assist with forensic analysis and remediation efforts, while simultaneously notifying three Swiss authorities: the Zurich Cantonal Police Cybercrime Unit, the Federal Data Protection Commissioner (Edöb), and the Government Computer Emergency Response Team (GovCert). Initial investigations determined that attackers exclusively compromised Cistec's corporate environment without reaching customer-facing systems.
Cistec explicitly confirmed that its hospital information system (Kisim) and associated client infrastructure remained unaffected throughout the incident. The company emphasized it never stored patient data from customer deployments on its internal systems, ruling out the encryption or exfiltration of medical records. During restoration efforts, Cistec migrated its internal operations to a newly constructed, segregated IT environment, gradually bringing services back online under enhanced security protocols. This incident occurred against a backdrop of prior scrutiny regarding vulnerabilities in Swiss healthcare software, with the National Test Center (NTC) having identified security flaws in Cistec's Kisim platform during earlier assessments. Cistec had addressed a critical vulnerability flagged in that review, which required extensive internal network privileges for exploitation, prior to the ransomware attack. No operational disruptions or data breaches were reported at client healthcare facilities using Kisim during or after the incident.