Cyber Incident Victim: Spiez Laboratory
Date:
Jun 2018
Location:
Switzerland
Summary
Russian hackers linked to the GRU military intelligence agency targeted a Swiss laboratory specializing in chemical, biological, and nuclear warfare analysis through a phishing campaign using spoofed emails containing malware. The Swiss facility, which had previously confirmed the use of Novichok nerve agent in the Salisbury poisoning incident, reported no confirmed data outflow from the attack aimed at participants of an upcoming chemical weapons conference. Cybersecurity investigators attributed the operation to the Sandworm group, known for prior attacks on Ukrainian infrastructure and German media, with linguistic evidence pointing to Russian involvement. Swiss intelligence has previously accused Russia of cyber intrusions against other national entities, including the International Olympic Committee.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2018, Swiss media reported that Russian hackers targeted the Spiez Laboratory, a state-run facility specializing in chemical, biological, and nuclear warfare analysis near Bern. The attack occurred ahead of a September conference of chemical and biological warfare experts. Perpetrators created a spoofed email address impersonating the laboratory and distributed a malicious Word document to conference participants, embedding malware designed to compromise systems. The Federal Office for Civil Protection confirmed the phishing attempt and immediately alerted invitees about the fraudulent communication, warning them of the danger. Kurt Münger, a representative of the office, stated there was no evidence of successful data exfiltration despite the attack. The laboratory had previously analyzed Novichok nerve agent samples from the March 2018 Salisbury poisoning of Sergei and Yulia Skripal, corroborating British findings that the Soviet-developed weapon was used. This attribution had drawn denials from Moscow but heightened geopolitical tensions preceding the cyber intrusion.
Cybersecurity firm Kaspersky Lab identified linguistic evidence suggesting the hackers possessed Russian language capabilities. The Spiez Laboratory explicitly named Sandworm, a hacking group widely associated with Russia’s GRU military intelligence agency, as the suspected perpetrator. Sandworm had previously been linked by experts to disruptive attacks on Ukrainian power grids in 2016 and simultaneous June 2018 intrusions targeting German public broadcasters alongside the Swiss lab. Swiss intelligence authorities had previously attributed other cyberattacks on domestic organizations, including the International Olympic Committee and local IT firms, to Russian state actors. The incident occurred amid public disputes with Russian officials, including Foreign Minister Sergei Lavrov’s April 2018 false claim that Spiez had identified a Western-made BZ nerve agent in Salisbury samples—a assertion the laboratory refuted via Twitter, reaffirming its Novichok conclusion. The U.S. Department of Homeland Security separately warned that month about GRU infiltration attempts against American power infrastructure, contextualizing the Spiez attack within broader patterns of Russian cyber operations targeting critical scientific and geopolitical assets.