Cyber Incident Victim: Switzerland
Date:
Mar 2023
Location:
Switzerland
Summary
A Swiss IT services provider suffered a cyberattack that forced it to take all client systems offline for three days, impacting municipalities, SMEs, automotive businesses, and industrial service clients. The company detected unauthorized access and immediately isolated affected infrastructure, with technicians working continuously to restore operations; they asserted no data was exfiltrated despite client concerns about potential darknet exposure. Authorities were notified, though no formal complaint was filed, and the company acknowledged contact with the attackers without disclosing ransom details. Separately, another regional IT provider experienced a related attack involving data encryption against a healthcare facility client, which disrupted operations for days—audits indicated no data leakage, though the ransomware's resolution remained unclear. Both incidents highlighted operational paralysis risks for dependent organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyberattack targeting Vaud-based IT firm Infolog began during the night of Monday to Tuesday in mid-April 2023, with detection occurring on Tuesday morning. Infolog immediately disconnected all client systems upon discovery, initiating a three-day recovery effort that required technicians to work continuously until Thursday evening to fully restore services. The company, which provides IT infrastructure for municipalities, SMEs, automotive businesses including the Leuba garage chain, and industrial service providers, experienced complete operational disruption across its systems. A client attempting to schedule a Mercedes service appointment through Leuba's website discovered irregularities, later learning about the attack through direct communication with the garage. Infolog maintained that no data exfiltration occurred during the breach, stating definitively that "nothing left our systems," though impacted clients expressed concerns about potential darknet exposure of personal information. The company reported the incident to Vaud cantonal police and federal authorities, though police confirmed no formal complaint had been filed as of their statement. Limited details emerged regarding threat actor communications, with an Infolog employee acknowledging contact with hackers but declining to specify whether ransom demands were made or negotiated.
A separate but related incident occurred on March 27, 2023, when another Swiss IT service provider suffered a ransomware attack that encrypted client data, including systems belonging to a Lausanne-based elderly care facility (EMS). The EMS regained normal operations only at the start of the following week, with its director confirming that forensic audits found no evidence of data leakage, suggesting the attackers' primary objective was system disruption rather than data theft. While aware of ransom demands made to their IT provider, the EMS administration lacked confirmation about whether payment occurred or if technical solutions resolved the encryption. Infolog cited these parallel incidents when emphasizing the disproportionate impact on smaller businesses, noting their own technical expertise and secure backups enabled relatively swift recovery compared to typical SMEs that could face months of operational paralysis or bankruptcy. Both attacks demonstrated the cascading effects of compromising IT service providers, with primary victims like Infolog transmitting disruptions to multiple downstream clients across sectors.