Cyber Incident Victim: Marti-Gruppe
Date:
May 2023
Location:
—
Summary
The Marti-Gruppe, a major Swiss construction company, was compromised by the Clop ransomware group through exploitation of a zero-day vulnerability in the MOVEit Transfer file-sharing platform, resulting in data theft and extortion demands. Clop threatened to publish stolen data on its darknet leak site for non-compliant victims, part of a broader global campaign targeting numerous enterprises and government entities. While US authorities responded with a substantial bounty offer for information on the attackers, Swiss cybersecurity officials acknowledged increased ransomware activity but deferred to private-sector responsibility, declining to confirm specifics about this incident. The attack exemplifies Clop's financially motivated operations against high-value organizational targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late May 2023, the Clop ransomware group exploited a zero-day vulnerability in the MOVEit Transfer file transfer platform, initiating a global cyberattack campaign that impacted hundreds of organizations. The attacks, first detected on May 27 during the Pentecost holiday weekend, targeted commercial entities, government agencies, and educational institutions across multiple countries. Clop operators claimed unauthorized access to sensitive data from numerous victims, including US federal agencies such as the Department of Energy, and threatened to publish stolen information on their Darknet leak site unless ransom demands were met. By early June, the Swiss construction conglomerate Marti-Gruppe emerged as a confirmed victim through investigative reporting, though the Bern-based company with 6,000 employees and 80 subsidiaries declined multiple requests for comment regarding the breach. The attack occurred despite Marti-Gruppe's substantial operational footprint across building construction, civil engineering, and tunneling sectors, with corporate leadership and IT support staff maintaining strict silence on compromise details, attack vectors, or data exfiltration scope.
Clop intensified pressure tactics in June 2023 by publicly listing non-compliant victims on their Darknet platform while asserting deletion of government data to emphasize their financial rather than political motives. The US Department of State responded on June 9 by offering a $10 million bounty through its Rewards for Justice program for information identifying Clop members, expanding existing counter-terrorism incentives to include cybercriminal groups. Swiss authorities through the National Cybersecurity Centre (NCSC) acknowledged increased attack volumes but declined specific commentary on Marti-Gruppe or Clop's campaign, citing standard policy against discussing individual incidents while emphasizing private sector responsibility for cybersecurity. NCSC data revealed ransomware reports had plateaued since 2020-2021 peaks, with 2023 showing disproportionate targeting of enterprises over individuals—only 10% of Swiss ransomware alerts originated from private citizens. The absence of mandatory breach reporting requirements in Switzerland suggested significant underreporting of incidents like the Marti-Gruppe compromise, though critical infrastructure providers could access NCSC's threat intelligence sharing platform and technical assistance during attacks. Clop's exploitation of the MOVEit vulnerability demonstrated their established pattern of coordinated mass attacks against vulnerable third-party software, leaving organizations with limited recovery options beyond evaluating leaked data exposure and reinforcing system patching protocols.