Swiss Post Cybersecurity inaugural Swiss Threat Landscape Report

Swiss Post Cybersecurity released its first Swiss Threat Landscape Report on 2026-06-23, presented at its Hack'Events conference, drawing on the firm's own SOC, incident-response and offensive-security engagement data rather than global aggregates (Swiss Post Cybersecurity, 2026-06-23). It names phishing, identity-based attacks (credential stuffing, account takeover, MFA-bypass chains) and AI-enabled threats as the dominant categories seen in Swiss incident intake, and argues the governance centre of gravity has moved from prevention to detection, response and recovery. [SINGLE-SOURCE] and vendor-authored, so the top-line categories are not novel; the value for a Swiss SOC is that the ranking is grounded in domestic operational data, which supports weighting identity-layer telemetry (Entra ID / AD sign-in logs, OAuth token-grant anomalies, MFA-fatigue patterns — T1621) and AI-assisted-phishing detection that leans on header/anomaly scoring rather than content heuristics (T1566.001). The full report is registration-gated (see § 7).

Switzerland's Federal Audit Office (Eidgenössische Finanzkontrolle, EFK) published an audit on 2026-06-19 of the federal cybersecurity structure reorganised two years ago, finding that the strategic-oversight body — FS BIS, within SEPOS — does not have a complete view of security-relevant events in federal systems (SwissCybersecurity.net, 2026-06-19; EFK report 25152, 2026-06-19). The audit names three concrete gaps: the contracted requirements-management ("Vorgabenmanagement") support that BACS owes FS BIS is not being delivered at the agreed scope under the existing service-level agreement; BACS has no legal authority to forward incident reports to SEPOS/FS BIS on its own, so reporting depends on each affected agency opting in to sharing via the Cyber Security Hub platform; and incident-response coordination between the two bodies was inconsistent across cases, with stakeholders sometimes unaware of measures the peer body had already taken (Netzwoche, 2026-06-19). The EFK explicitly rejected a further reorganisation (folding the function into BACS) and instead recommends that BACS and FS BIS leadership resolve their differences and clarify roles at management level.

Defender takeaway: For a Swiss federal SOC the instructive part is the structural visibility gap, not an active intrusion. Because the Cyber Security Hub sharing path is opt-in and BACS cannot relay incident data to SEPOS without the originating agency's consent, the federal strategic threat picture can be missing incidents that BACS already holds — meaning cross-agency correlation and trend analysis at SEPOS level may be working from an incomplete dataset. Federal and cantonal bodies should treat their own Cyber Security Hub reporting posture as a deliberate decision (confirm whether SEPOS data-sharing is enabled), and recognise that "we reported it to BACS" does not guarantee the strategic-oversight layer ever saw it.

NCSC-CH's Week 24 Wochenrückblick flagged a hybrid physical-plus-digital social-engineering campaign in French-speaking Switzerland: attackers drop fake Swiss Post collection-notice ("Avis de passage") letters into letterboxes, closely mimicking official branding, with a QR code leading to a phishing site that harvests identity and credit-card data (NCSC-CH, 2026-06-16). The physical-delivery vector defeats email-gateway controls entirely. Public-sector organisations in French-speaking cantons should brief staff on the physical-QR lure, since the Swiss Post brand is frequently abused and a letterbox-delivered QR bypasses every email-based phishing control.

NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) (NCSC-CH, 2026-06-02). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (T1566.002). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (T1078.004) to message guests through the legitimate booking channel, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference). Why it matters to us: the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.

UPDATE (originally covered 2026-05-14 backend database leak analysis): The TheGentlemen RaaS group's leak site listed two new European victims this week: University of Finance and Administration (VSFS, vsfs.cz) in the Czech Republic on 2026-05-19 and Swiss engineering firm DEVO-Tech AG (devo-tech.ch, Ziefen / BL) on 2026-05-18. The DeXpose write-ups are aggregator coverage of the leak-site listings themselves; neither victim has publicly confirmed the breach as of this brief. TTPs, infrastructure, and the Go-based locker remain unchanged from the Check Point Research deep coverage of 2026-05-14 — the new data point is geographic spread continuing into EU higher education and Swiss SMB engineering.

Higher-education and public-sector defenders in the DACH region should confirm offline-backup integrity and revisit SD-WAN / VPN gateway patch posture (the primary initial-access vectors documented for TheGentlemen in prior reporting). Listings are not victim confirmation; both organisations were listed by TheGentlemen and not confirmed by the victims themselves.

The Gentlemen RaaS listed two new European victims — the University of Finance and Administration (Czech Republic) and a Swiss engineering firm — on its leak site (daily 2026-05-20). The operator's previously-announced communications-infrastructure overhaul (rather than shutdown) means continued activity; the Swiss-victim listing is the direct CH-nexus signal this week. Watch for sample-data publication confirming the listings versus opportunistic re-listing.

If you did nothing this week: any unpatched SEPPmail instance still operating its GINAv2 portal on internet-accessible TCP/443 is exposing the /gina/diag/exec test/diagnostic endpoint — left active in the v15.0.x release cycle by the vendor — which accepts unvalidated shell command arguments and invokes Runtime.exec() as the Tomcat application user. A single HTTP request https://<gina-hostname>/gina/diag/exec?cmd=id confirms execution context; the same primitive reads /var/seppmail/conf/gina.properties (LDAP bind, SMTP credentials, S/MIME key-store symmetric key) and writes a web shell under webapps/. No authentication, no rate-limiting, no network boundary enforced (NCSC-CH Security Hub post 12551, 2026-05-08 · SEPPmail release notes v15.0 · daily 2026-05-09 deep dive).

SEPPmail AG (Steinach SG) is the dominant cryptographic email-processing gateway in the Swiss public sector — cantonal administrations, Swiss federal bodies (EJPD/DFJP, SECO, cantonal courts), university hospitals, and a substantial share of private healthcare and finance route sensitive email through SEPPmail infrastructure. The GINAv2 portal is by design internet-accessible to external recipients (who click a secure-email notification link, authenticate or self-register, and retrieve encrypted content). The vulnerability cluster covers six CVEs: CVE-2026-44128 (CVSS 9.3, unauth RCE via test endpoints, T1190); CVE-2026-44125 (CVSS 9.3, missing authentication on /gina/api/v1/admin/ allowing full configuration export including SMTP credentials, LDAP bind password, and the AES key protecting stored S/MIME keys — T1078.001, T1552.001); CVE-2026-44126 (CVSS 9.2, insecure session deserialisation reachable unauthenticated via a GINA_SESSION=../../uploads/... path-traversal cookie value that combines with the un-authenticated /gina/upload/certificate upload to stage a Java gadget chain — T1190); CVE-2026-44127 (CVSS 8.8, LFI and arbitrary file deletion in the appliance management interface — T1083, T1070.002); CVE-2026-44129 (CVSS 8.3, Freemarker SSTI via notification-email customisation — T1059.007); CVE-2026-7864 (CVSS 6.9, information disclosure). No in-the-wild exploitation confirmed as of week-end; all three CRITICAL paths are pre-authentication.

Patch path: SEPPmail 15.0.4 (patch 15.0.4.1) via the standard SEPPmail update channel; if patching is delayed, block source IPs outside the designated admin CIDR from /gina/diag/ and /gina/api/v1/admin/ paths at WAF or perimeter. Rotate LDAP bind credentials, SMTP relay credentials, and the S/MIME key-store password after patching regardless of whether exploitation is suspected — the compromise blast radius via CVE-2026-44125 alone reads every credential the appliance stores in cleartext. The Swiss Federal Chancellery ICT security baseline (Sicherheitsstandard IKT des Bundes / ISBB) classifies email-gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours; BSI IT-Grundschutz module APP.4.4 brings the same gateway into DACH organisations' ISMS scope.

If you did nothing this week: Swiss and DACH healthcare operators with internet-exposed Cisco ASA / FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces — Akira's documented edge-device initial-access targets — face the same playbook used here. Groupe 3R confirmed the attack on its own website 2026-04-30, filed a criminal complaint, notified the Federal Office for Cybersecurity (BACS/OFCS), and explicitly stated it will not pay ransom; Akira's leak-site listing on approximately 2026-05-08 claims 48 GB exfiltrated including employee identity documents, patient records, payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07 · daily 2026-05-10).

Groupe 3R (Réseau Radiologique Romand) operates ~20 medical-imaging centres across seven Swiss cantons listed in the operator statement (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne — six in Romandie — plus Zürich in German-speaking Switzerland) — a direct Swiss critical-health-infrastructure incident, and the operator's second cyberattack within twelve months (the prior April 2025 incident is acknowledged in the operator's own statement as having involved different attackers and methodology). Legacy examination data remains inaccessible at week-end; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. Akira's documented playbook against European healthcare and SME targets emphasises edge-device initial access (Cisco ASA/FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics — observed ATT&CK techniques include T1190, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service. Defenders should re-validate patch state on the edge devices in Akira's standard target list, confirm EDR rules trigger on intermittent-encryption write-skip-write file-IO patterns, and verify radiology-modality VLAN segmentation from corporate Active Directory — PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. The Akira-as-actor attribution comes from ransomware.live (aggregator), not from the victim or an independent primary; logged with confidence HIGH on incident, MEDIUM on actor.

Current state: Akira's leak-site listing on Groupe 3R (§ 1) is the operationally specific Swiss-healthcare development this week. The broader Akira playbook (edge-device initial access via Cisco ASA/FTD, Fortinet SSL-VPN, VMware ESXi authenticated RCE; intermittent file-encryption to evade EDR file-IO heuristics) has been documented across European healthcare and SME targeting throughout 2025 and into 2026. No major Akira TTP shift detected in this week's reporting; the operator continues to favour edge-device initial access and double-extortion (encrypt + leak). Outstanding defender question: whether the Groupe 3R "will not pay" public stance changes the operator's posture for repeat victims (3R's prior April 2025 incident is acknowledged in its own statement as having involved different attackers and methodology).

Akira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

Akira's documented playbook against European healthcare and small-to-mid enterprise targets emphasises edge-device initial access (Cisco ASA / FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics; ATT&CK techniques observed across recent Akira incidents include T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service.

Defender takeaway: Swiss and DACH healthcare operators with internet-exposed Cisco ASA/FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces should validate that all 2025–2026 Akira-targeted CVEs are patched, that EDR rules trigger on intermittent-encryption file-IO patterns (write-then-skip-then-write of fixed-block ranges), and that radiology-modality VLANs are network-segmented from corporate AD; PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. Imaging operators that depend on a single ransomware-targeted partner should review business-continuity arrangements: this is the second 3R outage inside a year and referrers will already have continuity questions.

SEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

For DACH-region organisations: BSI IT-Grundschutz includes email encryption gateways in the APP.4.4 component scope; a known RCE cluster in such a gateway qualifies for an extraordinary IT-Grundschutz gap notification under ISMS procedures.