Cyber Incident Victim: Gemeinde Buchs
Date:
Mar 2024
Location:
Switzerland
Summary
An unauthorized actor compromised the business email account of Buchs' mayor, sending thousands of fraudulent messages including phishing links disguised as voicemail notifications and validation requests. While most emails targeted external providers like Gmail and Outlook recipients not in the official address directory, approximately 130 reached legitimate contacts. The attack disrupted municipal email services due to domain reputation damage, though forensic analysis found no evidence of sensitive data exfiltration or financial loss. Criminal investigations were initiated with cantonal police and federal cybersecurity authorities, while external IT providers implemented containment measures including account reactivation with enhanced monitoring.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 27, 2024, the business email account of Buchs municipal president Urs Affolter was compromised by unknown attackers. Initial analysis confirmed unauthorized access to Affolter's email credentials, enabling the threat actors to send hundreds of fraudulent messages posing as the mayor. Two distinct email campaigns were identified: the first involved messages with subjects like "? Voice Mail (00 Mins 53 sec)" containing links purportedly to access voicemail recordings, while the second campaign used the subject line "is this your valid email?" targeting recipients not in Affolter's address directory. The municipality immediately disabled Affolter's email account and engaged an external IT service provider to implement containment measures, including forensic analysis and system monitoring. Recipients who clicked the suspicious voicemail links were advised to change their passwords as a precaution.
Subsequent investigation revealed approximately 11,000 voicemail-themed emails were sent, with 118 reaching internal municipal contacts and 12 delivered to external third parties from Affolter's address book. Thousands more "valid email" verification messages were distributed to recipients using @outlook.com, @gmail.com, @yahoo.com, and @me.com addresses not associated with the municipality's records. Forensic examination found no evidence that sensitive data was exfiltrated or that internal systems beyond the email account were compromised. The attack temporarily disrupted email communications with major providers like Gmail and Hotmail due to reputation damage affecting the @buchs-aargau.ch domain. Aargau cantonal police launched criminal proceedings to identify the perpetrators, while the municipality formally reported the incident to the Federal Office for Cyber Security (BACS). Affolter's email account was reactivated under enhanced monitoring after forensic clearance, and the municipality declared the incident internally resolved pending law enforcement outcomes. No significant financial losses were documented, though operational disruptions occurred during the email service degradation period.