Cyber Incident Victim: Fachhochschule Nordwestschweiz
Date:
Mar 2025
Location:
Switzerland
Summary
Fachhochschule Nordwestschweiz reported that its GitLab platform, provided by SWITCH as a managed service, was compromised by the ransomware group FOG, which copied and released approximately ninety‑three gigabytes of source code on the darknet. The institution immediately activated its crisis team and emergency plan, blocked all GitLab access credentials, reset user passwords, and informed central bodies and authorities while launching an analysis to determine the full extent of the data theft. So far no other systems are known to be affected and teaching operations continue uninterrupted, though IT staff remain on heightened alert for further action. The attackers, known for exploiting stolen or compromised VPN access, have targeted multiple organizations using GitLab, focusing on exfiltrating software repositories rather than encrypting files, thereby threatening intellectual property. Experts note that the group has carried out over eighty successful incidents and continues to publish stolen data freely.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March1 2025 the Fachhochschule Nordwestschweiz (FHNW) confirmed that its GitLab platform, provided as a managed service by SWITCH, had been compromised by the ransomware group FOG. According to the FHNW statement, the attackers copied a portion of the software code stored in GitLab and released 93 gigabytes of the data on the darknet on March 5 2025. The FHNW immediately activated its crisis task force within Corporate IT, invoked the relevant emergency plan, and informed the institution’s central bodies and the authorities. The university also blocked all GitLab access keys and required users to reset their passwords for the platform while beginning an analysis of the exposed data to determine the full scope of the breach.
The FHNW emphasized that, to date, no other IT systems beyond the GitLab service have been identified as affected by the incident, and that teaching operations have not been directly disrupted by the attack on the development platform. The institution reported that it remains in heightened alert status, continues to monitor for any additional data exposure, and will provide regular, transparent updates through its internal and external communication channels as the investigation permits. The FHNW noted that it had already informed its internal community about the hack and that the owner cantons—Aargau, Basel‑Landschaft, Basel‑Stadt, and Solothurn—were kept informed of the situation.
FOG, the ransomware operation behind the attack, has been observed targeting organizations that use GitLab since the beginning of 2025, with security firms reporting more than 80 successful incidents linked to the group. Experts such as Marc Ruef of Scip AG have remarked that FOG is known for leveraging stolen or compromised VPN credentials to gain access, and have questioned why the group would freely distribute the stolen data in the darknet, suggesting either a perceived lack of market value or a demonstration of power. Ruef also noted that numerous vulnerabilities have been identified in GitLab over the years, with nearly 700 known since 2017 and 25 reported in the current year alone. The FHNW case adds to the growing list of victims, which includes at least one other Swiss company identified through external research. The attackers’ focus on software repositories rather than simple file encryption underscores a shift toward threatening intellectual property and operational continuity.