Cyber Incident Victim: Pathé Schweiz
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack by the Play group targeted IT service provider Unico Data, severely impacting its numerous clients. The victim's systems were encrypted and taken offline, disrupting operations for several businesses and state institutions. Affected organizations included cinema chain Pathé Schweiz, which lost its online ticket sales capability, a tool manufacturer, a medical provider, and multiple municipalities, all of whom faced significant IT service interruptions. Recovery efforts were ongoing with no immediate timeline for full restoration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 27, 2023, the Swiss IT service provider Unico Data AG was subjected to a significant ransomware attack. The incident was first detected by the company's IT personnel during the night of Saturday, May 27, to Sunday, May 28. The attack was launched by the cybercriminal group known as "Play," a fact confirmed by the discovery of the ".play" file extension on encrypted data. This group was known for timing its encryption attacks outside of standard business hours, and in this instance, they chose the Pentecost holiday weekend to initiate their offensive. The attack forced Unico Data to shut down all of its systems in response.
Unico Data, based in Münsingen, employed approximately 75 staff and provided services to over 100 customers, primarily small and medium-sized businesses concentrated in the Bern region. Its role as a Managed Service Provider (MSP) meant it operated a data center where clients utilized Software as a Service (SaaS) offerings from the cloud. The complete shutdown of Unico Data's infrastructure therefore had an immediate and cascading effect on its entire client base. The company issued a media release on Thursday, May 28, confirming it was a ransomware attack and stating that the restoration of IT systems was underway in collaboration with the relevant authorities. Email communication was confirmed to be temporarily impossible, and no timeline could be provided for when full system functionality would be restored.
The repercussions of the attack on Unico Data's infrastructure were widespread and severe for its customers. The cinema chain Pathé Schweiz was among the affected entities. The company, which operates cinemas in Basel, Bern, Dietlikon, Ebikon, Geneva, Lausanne, and Spreitenbach, was forced to post a notice on its website informing customers that online ticket sales were impossible until further notice. The Swiss tool manufacturer PB Swiss Tools, a traditional company based in Wasen im Emmental, was also impacted. Its managing director, Eva Jaisli, confirmed the incident on the company website and assured customers that production could be maintained in shift operations despite the IT limitations, asking for patience.
The municipal administration of the Bernese community of Rüegsau experienced a state of emergency in the days following the attack. Officials informed the public on Tuesday that the IT system of the municipal administration was out of order. The Boess Group, a Bern-based company specializing in electrical engineering services with 13 locations across Switzerland, also confirmed it was affected by the incident. The Rugenbräu AG brewery in Interlaken and the Depot Zollikofen found themselves only reachable to a limited extent due to the attack, with their websites displaying notices about the IT disruption.
A significantly impacted customer was the Siloah Group in Gümligen, a leading integrated provider of medical care in geriatric medicine for the Bern region. The institution, which employs around 870 staff across several locations and operates 95 hospital beds and approximately 270 nursing home beds, was forced to shut down its IT systems. Martin Gafner, President of the Siloah Foundation Council and the Siloah AG Board of Directors, stated that patient safety was guaranteed at all times throughout the incident and praised employees for how they managed the difficult situation. He confirmed that the organization had begun testing its IT systems again as part of the recovery process. The scale of Siloah's operations suggested it was one of Unico Data's largest clients.
The managing director of Unico Data, Vince Lehmann, was cited in media reports confirming the ransomware nature of the attack. He stated that the affected IT systems would be "gradually restarted in the coming days and weeks," asking for the public's patience until their local administrations could function within their usual framework again. The company maintained updates on its website regarding the progress of containing the cyberattack.
On Friday, June 2, 2023, the Play ransomware group published a message on its data leak site within the darknet. The content of the message suggested a threatening posture, though the specific demands or nature of the taunting were not detailed in the available report. This group had previously been responsible for attacks on other Swiss entities, including the company Xplain AG and the media organizations NZZ and CH Media. The incident demonstrates the high-impact nature of attacks on managed service providers, where a single compromise can disable the operations of numerous downstream organizations across various critical sectors, including healthcare, public administration, manufacturing, and entertainment. The recovery process was described as ongoing and involved close cooperation with Swiss authorities.