Cyber Threat Situation in Switzerland Remains High: Attacks Become More Targeted and Complex

Executive Summary

The Swiss Federal Office of Cybersecurity (BACS) published its semi-annual report for the second half of 2025 on March 30, 2026. Switzerland's cyber threat situation remains at a high level, with attacks increasingly individualized and optimized using Artificial Intelligence. Since April 1, 2025, operators of critical infrastructure must report cyberattacks within 24 hours – to date, 325 reports have been received, of which 145 were submitted during the reporting period. New attack forms such as SMS-blasters and compromised open-source components further aggravate the threat situation.

Persons

• Federal Office of Cybersecurity (BACS) (Swiss Authority)

Topics

• Cybersecurity
• Critical Infrastructure
• Ransomware and Data Extortion
• Artificial Intelligence in Cyberattacks
• Open-Source Software Security

Clarus Lead

Switzerland's cyber threat situation shows a shift from volume to precision: attackers use AI and local market knowledge to select victims more deliberately. With the new mandatory reporting requirement for critical infrastructure since April 2025, Switzerland gains complete transparency on actual attack intensity for the first time – 325 reported incidents indicate systematic risk requiring governance and international cooperation. The threat transcends organizational and national boundaries, which is why individual national measures reach their limits.

Detailed Summary

Cyber threats against Switzerland have changed qualitatively. Perpetrators use voice phishing and real-time phishing combined with fraudulent search engine advertisements to lure users to fake websites. Particularly effective are localized attack vectors – such as exploiting well-known loyalty programs from retailers as bait. From summer 2025 onwards, a new technology emerged: SMS-blaster devices that simulate mobile phone antennas and send short messages directly to nearby devices, bypassing telecommunications filtering systems.

Ransomware remains a central threat. In the second half of 2025, 57 ransomware incidents involving data extortion were reported. The Akira group intensified its activities by exploiting vulnerabilities in SonicWall devices. A critical factor: security updates for a vulnerability already known in 2024 were not implemented across the board, creating additional attack surfaces.

A new focus lies on supply chain attacks. Cybercriminals compromise not only individual vulnerabilities but also established open-source software components (OSS) on which modern applications are based. These systemic gaps can have far-reaching impacts. In parallel, more ORB networks (Operational Relay Boxes) were identified in Switzerland – IoT devices, servers, and routers infected with malware that are remotely controlled by attackers and sometimes rented out.

The mandatory reporting requirement for critical infrastructure revealed the actual attack landscape: 325 reports since April 2025 (145 in H2 2025). Hacking incidents dominate at 20%, followed by DDoS attacks (16%). Most reports come from public administration (25%), IT/telecommunications (18%), and the financial sector (15.7%).

Key Statements

• Cyber threats become more precise and harder to defend against through AI-driven individualization
• New attack forms (SMS-blasters, OSS compromise, ORB networks) require technical and organizational adaptations
• Mandatory reporting for critical infrastructure creates complete transparency on attack volume and patterns for the first time
• Supply chain security has become a key factor; outdated patches increase risk exponentially
• Cybersecurity is a whole-of-society task requiring national and international cooperation

Critical Questions

1. Evidence: How were the 325 reports validated and categorized? What quality control mechanisms does BACS employ to exclude duplicate reports or misclassifications?

2. Conflicts of Interest: To what extent could the 24-hour mandatory reporting requirement prompt operators to fragment or downplay incidents to avoid escalation cascades?

3. Causality: The report attributes the increase in ransomware attacks to insufficient patch management. Is there evidence that comprehensive patching would actually reduce Akira activities, or are other factors (e.g., attacker resources) more decisive?

4. Alternatives: Why are open-source components compromised more frequently than proprietary software? Is this due to better visibility or weaker governance in OSS projects?

5. Feasibility: How can small and medium-sized enterprises (SMEs) in critical infrastructure technically and economically meet the requirement to prevent ORB network infiltration if device updates are costly?

6. Geopolitics: The report mentions a "tense geopolitical environment" but classifies Switzerland's threat situation as "relatively stable." Which state actors are responsible for the 325 reports, and do their tactics differ from those of criminal groups?

7. Governance: What specific governance structures does BACS propose to improve coordination between the state, business, and society?

Source Directory

Primary Source: Federal Office of Cybersecurity (BACS): Semi-Annual Report on Switzerland's Cyber Threat Situation H2 2025 – https://www.news.admin.ch/de/newnsb/1qIx-8jjt9q5-qfFKHqCS

Verification Status: ✓ 30.03.2026

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-Check: 30.03.2026