Cyber Incident Victim: Nexus Telecom
Date:
Jan 2024
Location:
Switzerland
Summary
A Swiss software company specializing in network monitoring for mobile telecommunications providers was compromised by the ransomware group 8Base, which threatened to leak stolen confidential data. The attackers claimed possession of a significant volume of sensitive information, though the company's CEO confirmed the incident without specifying the scope of impacted data or systems while emphasizing that customer operations remained unaffected. 8Base, known for opportunistic targeting and use of third-party tools like Phobos ransomware, operates a darknet leak site excluding victims from Russia and former Soviet states, suggesting Russian affiliations. The group employs externally developed infrastructure, including a vulnerable chat function linked to a Moldovan programmer, and shares stylistic similarities with the RansomHouse operation. The victim company, serving major European telecom providers, stated it was cooperating with authorities following the server breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 1, 2024, Swiss software company Nexus Telecom confirmed it was targeted in a cyberattack by the ransomware group 8Base, which threatened to publish stolen confidential data on its darknet leak site. The attackers claimed possession of "a large amount of confidential information" and set a deadline of several days for potential data release. Nexus CEO Marco Rhyner verified the incident to media outlets but could not disclose specifics regarding compromised data or attack severity as investigations remained ongoing. The company, founded in 1993 by Swiss politician Ruedi Noser, specializes in network monitoring software for mobile telecommunications providers, serving major clients including British Telecommunications and Deutsche Telekom across Europe and overseas. Historical context indicates Nexus faced prior controversy in 2013 over surveillance software exports to Saudi Arabia, though Noser had emphasized the technology couldn't decrypt content. After financial struggles and bankruptcy in 2016, Generis AG—a Swiss firm with operations in Schaffhausen and Beijing—acquired Nexus Telecom's assets and retained its core team, focusing development on 5G and smart-city applications.
The 8Base ransomware group, active since March 2022, escalated operations in mid-2023 and ranked among the most prolific threat actors behind LockBit. Security researchers observed 8Base employing Phobos ransomware variants in late 2023, leveraging ransomware-as-a-service tools rather than developing proprietary malware. The group maintains a Tor-accessible darknet site listing hundreds of non-compliant victims, with no entities from Russia or former Soviet states—a pattern consistent with Russian-aligned cybercriminal activity. Forensic analysis in 2023 revealed linguistic similarities between 8Base's communications and the RansomHouse operation, suggesting potential overlaps. Security blogger Brian Krebs linked a Moldovan programmer to the chat function code embedded in 8Base's leak site, used for victim negotiations. Nexus Telecom clarified that the breach affected one server without disrupting operational systems or customer-facing infrastructure. The company engaged law enforcement throughout the response process, maintaining regular contact with authorities according to Rhyner's updated statement.