Cyber Incident Victim: Bexio
Date:
Jun 2023
Location:
Switzerland
Summary
Bexio was the victim of a sustained DDoS attack that significantly impaired customer access to its core software platform. The attack did not affect the company's website, payroll service, API, or customer data, which remained secure. The identity of the attackers was not publicly known. The company implemented mitigation measures that were reported to be effective, eventually allowing customers to resume normal operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 13, 2023, the Swiss software company Bexio became the target of a sustained distributed denial-of-service (DDoS) attack. The attack caused significant disruptions to the accessibility of Bexio's core software platform for its customers. The company confirmed the nature of the incident and began reporting on the service impairments through its status page and direct communications to its user base. The primary impact was the limited availability of the main software application, preventing customers from accessing their accounts and conducting normal business operations through the platform. The attack was characterized by a flood of malicious traffic designed to overwhelm Bexio's online infrastructure and render its services unusable for legitimate users.
Despite the severe impact on service availability, Bexio was able to confirm that customer data remained secure and was not compromised during the incident. The company explicitly stated that its website, payroll accounting services (Lohnbuchhaltung), and application programming interface (API) were not affected by the attack and continued to operate normally. This delineation indicated that the threat actors focused their efforts specifically on the infrastructure hosting the primary business software, suggesting a targeted effort to disrupt operational continuity rather than to exfiltrate sensitive information. The integrity and confidentiality of customer data were maintained throughout the event.
The DDoS attack persisted for several days following its initial onset on June 13th. Bexio's technical teams worked intensively to analyze the attack vectors and implement countermeasures to mitigate the flood of traffic and restore full service availability. The company maintained communication with its customers during this period, providing updates on the ongoing situation and the efforts being undertaken to resolve it. The identity of the threat actors behind the attack was not known to Bexio at the time. The company's press office, represented by spokesperson Jennifer Maurer, stated that they had no information regarding who was responsible for the disruptive campaign.
By the end of the following week, Bexio began to see success in its mitigation efforts. The company implemented specific measures designed to filter out malicious traffic and absorb the attack, and these actions began to show positive results. Jennifer Maurer conveyed that the implemented measures were effective, allowing customers to gradually return to normal work patterns on the platform. The restoration of service marked a significant turning point in the incident, indicating that the containment strategies deployed by Bexio's incident response and infrastructure teams were successfully countering the attack.
The incident occurred within a broader context of increased DDoS activity targeting Swiss organizations. In the days preceding and surrounding the attack on Bexio, numerous other Swiss websites had fallen victim to similar DDoS attacks. Public reporting attributed many of these contemporaneous attacks to politically motivated, pro-Russian hacker groups. These groups often employ DDoS tactics as a form of hacktivism to disrupt services and make a political statement. While a direct link between these groups and the Bexio attack was not established or confirmed by the company itself, the timing and nature of the incident placed it within a wider pattern of disruptive cyber activity affecting the country.
The impact of the incident was solely related to service availability and business continuity for Bexio and its customers. The prolonged duration of the attack, lasting multiple days, meant that users experienced an extended period of unreliable access to a critical business tool. Bexio's response focused entirely on technical containment and restoration, with no public indication that a ransom was demanded or that any form of negotiation with the attackers took place. The company's public communications emphasized the safety of customer data and the ongoing work to restore services, aiming to maintain trust and provide transparency throughout the disruptive period. The complete restoration of normal service operations signified the end of the active incident response phase.