Cyber Incident Victim: Concevis AG
Date:
Nov 2023
Location:
Switzerland
Summary
A Swiss software provider specializing in public administration and financial sector solutions experienced a ransomware attack resulting in server encryption and data theft, including operational information from federal entities. Despite the attackers' ransom demands and threats to release stolen data, the victim did not comply, prompting ongoing criminal investigations involving federal prosecutors. Several federal offices were potentially impacted, though no compromise of their systems was detected; external security experts and national cybersecurity authorities are coordinating forensic analysis and mitigation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack targeting Concevis AG occurred during the weekend of November 4–5, 2023. Attackers compromised the Swiss software provider’s systems, exfiltrated data, and encrypted all company servers using robust encryption mechanisms designed to obstruct forensic analysis. Following the encryption, the perpetrators issued a ransom demand, which Concevis declined to pay, prompting threats to publish stolen data on the Darknet. The company promptly notified its clients, including multiple Swiss federal administrative units, and filed a criminal complaint with the Basel-Stadt Public Prosecutor’s Office, later escalated to the Federal Prosecutor’s Office. Concevis engaged external cybersecurity specialists to assist with forensic investigations and incident response, though the encryption tactics significantly complicated efforts to determine the full scope of data theft. Initial assessments indicated a high probability of extensive data exfiltration, including older operational data belonging to federal entities.
Affected federal clients included the Federal Office for Civil Protection, Federal Office for Spatial Development, Federal Statistical Office, Federal Office of Civil Aviation, Federal Tax Administration, and Training Command, though no direct compromise of federal systems was identified. Concevis emphasized that its applications for federal clients were operated by third-party service providers, reducing immediate risks to government infrastructure. The National Cyber Security Centre (NCSC) assumed coordination of federal response efforts, maintaining communication with Concevis, law enforcement, and impacted agencies while refraining from public speculation pending further analysis. Ongoing investigations focused on identifying precisely which datasets were stolen and which federal units faced exposure risks. The company’s managing director, Karl Lukas, publicly acknowledged disruptions to customers but declined detailed commentary citing the active criminal probe and operational sensitivities.