Cyber Incident Victim: Bobst Group

The Bobst Group, a Swiss-based manufacturer of industrial machinery headquartered in the canton of Vaud, experienced a significant cybersecurity incident around the Easter weekend in April 2023. The company confirmed it was the target of two distinct and precise attempts to penetrate its IT systems. These were not routine or generic attacks but were characterized as targeted intrusions. The specific dates of the initial intrusion attempts were not publicly disclosed, but the company's response activities indicate the incident was discovered and actively managed immediately following the Easter holiday period.

Upon detection of the anomalous activity, Bobst Group initiated its established emergency response plan. The primary containment action involved the deliberate isolation of its affected IT systems to prevent the attack from propagating further into the network and to protect critical databases from compromise. This defensive maneuver necessitated a shift to a degraded operational mode, impacting normal business functions for a period of several days. The company's production departments were specifically affected by this change in operational status and were taken offline as part of the containment strategy.

Throughout the response period, Bobst Group maintained targeted communications with its global customer base and suppliers, informing them of the situation. Internal response efforts were coordinated across the company's international teams. The CEO, Jean-Pascal Bobst, publicly stated that the company's defensive measures proved to be highly effective during the incident. The actions successfully prevented a full-scale intrusion into the company's core systems and databases, averting a more severe operational disruption or a widespread data breach at that time.

By April 17th and 18th, the company had successfully restored its production departments to full operational status, concluding the period of degraded functionality. The investigation into the incident revealed the identity and origin of the attackers, though Bobst Group elected not to publicly disclose these specific details. The company did, however, note that a review of dark web monitoring services showed no evidence that any Bobst data had been published or offered for sale, which was interpreted as a positive indicator that their containment had been successful.

In June 2023, the ransomware group known as Black Basta claimed responsibility for the attack on Bobst Group. This group is also widely suspected by cybersecurity researchers to be behind a separate, contemporaneous attack on another major Swiss industrial corporation, ABB. As part of its claim, Black Basta published what it purported to be evidence of stolen data, including initial screenshots of identification document copies and internal company files. The exact volume of data exfiltrated from Bobst's systems, if any, remains unclear from public statements. The company's earlier assertion that nothing had appeared on the dark web suggests that either no data was extracted, that the data published by Black Basta was insignificant, or that any exfiltrated data had not yet been released at the time of the CEO's initial comments in April.

The public claim by Black Basta introduced a new dimension to the incident, confirming the involvement of a known ransomware operation. This contrasted with the group's approach to the ABB incident, for which no public claim had been made at the time, leading to external speculation about different outcomes between the two cases. For Bobst, the ultimate impact of the incident was characterized by the company's leadership as having escaped with a "black eye," acknowledging that while the company does not possess the security level of a financial institution, it had managed to avoid catastrophic consequences. The primary operational impact was the multi-day disruption to production and the necessity to operate in an emergency mode, which was successfully mitigated through the execution of the company's incident response plan.