Cyber Incident Victim: Canton of Aargau
Date:
Mar 2024
Location:
Switzerland
Summary
The email account of Buchs municipality's mayor was compromised, leading to unauthorized mass email distributions. Attackers sent thousands of messages, including phishing links disguised as voicemail notifications and validation requests, primarily targeting external providers like Gmail and Outlook. While most emails were filtered as spam, 118 reached internal contacts and 12 external recipients. No evidence indicates data exfiltration or financial loss, but the attack disrupted municipal email services due to domain reputation damage. The incident prompted involvement of external IT specialists, cantonal police investigations, and reporting to federal cybersecurity authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 27, 2024, the business email account of Buchs municipality president Urs Affolter was compromised by unknown attackers, leading to unauthorized mass email campaigns. Initial analysis indicated attackers gained access to Affolter’s personal email credentials, though the exact intrusion method remained unspecified. The attackers executed two distinct email campaigns using the compromised account. The first involved thousands of messages with the subject line "is this your valid email?", predominantly targeting recipients with addresses from external providers like Gmail, Outlook, Yahoo, and Apple Mail. These recipients were not in Affolter’s address directory, suggesting possible external harvesting or database exploitation. The second campaign distributed approximately 11,000 emails impersonating Affolter with the subject "? Voice Mail (00 Mins 53 sec)", containing a fraudulent voicemail retrieval link. Of these, 118 were sent to internal contacts within the municipality’s address directory and 12 to external third parties. The community council immediately disabled Affolter’s email address, engaged an external IT service provider for forensic analysis, and implemented containment measures. Preliminary assessments confirmed no compromise of other municipal systems beyond the email account.
Further investigation revealed the attack caused temporary disruption to email communications between the municipality and external providers like Gmail and Hotmail due to reputation damage affecting the @buchs-aargau.ch domain. No evidence emerged that sensitive internal data was accessed, exfiltrated, or forwarded by the attackers. Financial losses were not reported. The Aargau cantonal police launched a criminal investigation to identify perpetrators, while the municipality’s IT provider conducted a full incident analysis. The email account was reactivated under enhanced monitoring after security remediation. The incident was reported to the Federal Office for Cyber Security (BACS), and internal municipal operations resumed normalcy following confirmation that no additional systems were breached. The municipal council publicly condemned the attack and acknowledged inconveniences caused to recipients of the fraudulent emails, particularly those who interacted with the malicious voicemail link. No further technical or operational impacts were documented beyond the temporary email delivery restrictions and reputational effects on the domain.