Cyber Incident Victim: Vaud Promotion

On the night of June 5th to June 6th, 2023, the Swiss economic and tourism promotion association Vaud Promotion detected that it had been the victim of a cyberattack. The organization, which promotes the canton of Vaud under the brand "Vaud+" and partners with the Canton of Vaud, Gastrovaud, the Association Romande des Hôteliers, and Innovaud, immediately initiated its response protocol. In direct response to the discovered attack, a crisis management team was immediately established in collaboration with external cybersecurity experts. This team began a thorough technical analysis to assess the full scope and impact of the intrusion. Concurrently, technical emergency measures were implemented to contain the incident and prevent further unauthorized access to its systems.

The association promptly notified the relevant supervisory authorities about the breach. Furthermore, Vaud Promotion confirmed its intention to file a criminal complaint with law enforcement to initiate a formal investigation into the attack. Despite the severity of the incident, the organization stated that it was able to maintain its core operational activities in the immediate aftermath. However, it acknowledged that the processing of certain specific requests would likely take more time than usual due to the disruptive effects of the attack and the ongoing response efforts. A detailed plan to fully restore affected communication tools and other impacted systems was being developed at that time.

On June 7th, 2023, the ransomware group known as Darkrace claimed responsibility for the attack against Vaud Promotion. This claim was accompanied by the publication of screenshots of allegedly stolen data on the darknet. The cybercriminal group asserted that they had successfully exfiltrated 161 gigabytes of files from the association's network. The published proof-of-hack material included samples of internal association documents, financial records, employee-related data, and copies of identification documents. This public disclosure by the attackers confirmed the suspicions held by Vaud Promotion, which had already stated it suspected a data leak had occurred.

Darkrace was identified as a very new and recently established actor in the ransomware landscape. Security experts had first begun tracking this group's activities in May 2023, meaning it had been operational for only a few weeks prior to the attack on Vaud Promotion. The group's darknet leak site listed a total of nine alleged victims at the time, which included two Italian companies alongside the Swiss organization. The attack on Vaud Promotion represents the first known compromise of a Swiss entity by this particular threat group.

The cantonal department responsible for information technology, the Département de la cohésion institutionnelle et des ressources humaines (DCIRH), confirmed it was officially informed of the cyberattack on June 7th. The department clarified that the technical steps for investigation and remediation fell under the direct responsibility of Vaud Promotion itself, which was to be executed with its own cybersecurity advisors. The department emphasized that, as an independent entity, the association was responsible for the processing and security of its own data. However, the canton's Security Operation Center (SOC), operated by the General Directorate for Digital and Information Systems (DGNSI), undertook an evaluation of potential collateral risks to the broader cantonal administration resulting from the breach at its partner organization. Based on this assessment, the SOC was prepared to implement protective measures if deemed necessary, which could include the interruption of network connections or the blocking of specific accounts. The cantonal SOC continued to monitor the development of the incident closely. Vaud Promotion committed to providing transparent updates as the situation evolved and the full investigation progressed.