Cyber Incident Victim: Prismecs
Date:
May 2025
Location:
Switzerland
Summary
Prismecs experienced a breach when attackers gained access to a manager’s email account and used it to send phishing messages to Swiss suppliers and partners, which were detected when antivirus software blocked a malicious link. The Federal Office of Energy confirmed the IT attack on the company, noting that the incident involved only the compromised email account and did not endanger the security of the reserve power plant it operates. Although the company and its partner GE Vernova have not provided further details, the attack is considered one of the first incidents requiring mandatory reporting under recent amendments to the information security law. Prior operational challenges at the Birr facility, including delayed commissioning, a court ruling on the original permit, and a fire that damaged the grid connection, have been reported separately.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Hackers gained access to the email account of a manager employed by Prismecs, the Swiss subsidiary of the US‑based energy company Prismecs, and used that account to send phishing messages to Swiss suppliers and business partners. The messages claimed that a document would be delivered and instructed recipients to click on a link; the emails bore the name of the Swiss chief executive of Prismecs. When one recipient attempted to follow the link, their antivirus software blocked the page, prompting the realization that the manager had not authored the message. Investigations by the reporting outlet confirmed that the attackers had successfully infiltrated Prismecs’ IT systems and triggered the distribution of the phishing emails. The Bundesamt für Energie subsequently confirmed that an IT attack had occurred on the company.
Prismecs operates the Birr reserve power plant, a facility deemed critical infrastructure for Switzerland’s electricity supply. The plant, completed in spring 2023, houses eight turbines capable of running on natural gas or auto‑diesel and delivering 250 megawatts, roughly a quarter of the output of the Leibstadt nuclear plant. The contract for Birr runs until the end of 2026 and obligates the Confederation to pay approximately half a billion Swiss francs. Prior to the cyber incident, Birr experienced a delayed grid connection of over a month in early 2023, a Federal Administrative Court ruling in 2024 that declared the original permit unlawful without ordering a dismantling, and a fire that destroyed the plant’s grid connection, necessitating a six‑month repair. The Bundesamt für Energie noted that, under the revised Information Security Act effective 1 April 2025, operators of critical infrastructure must report cyberattacks to the Federal Office for Cybersecurity (BACS) within 24 hours; it remains unclear whether Prismecs or its partner GE Vernova fulfilled this obligation, as neither entity has publicly confirmed compliance and BACS cannot disclose details without consent. GE Vernova stated that the IT systems of the Birr plant and those of Prismecs are strictly separated, that the security of Switzerland’s electricity supply was not endangered, and that there is no direct contractual link between Prismecs and the Confederation, leading the Bund to consider the matter closed.
The identity of the attackers, their specific tactics, and their objectives have not been disclosed, and it remains unknown whether additional email accounts or systems within Prismecs were compromised. Birr is expected to remain available as a transitional reserve solution beyond 2026, while the Confederation plans to have five other reserve power plants—located in Muttenz BL, Monthey VS, Stein AG, and Eiken AG (two units)—operational by 2030, all fueled by CO₂‑neutral sources. No further details about the attack’s impact on plant operations, any data loss, or subsequent remedial actions have been made public.