ELCA rapidly responded to the challenge of a severe cyber-attack, proving the company’s high level of expertise in this area.

One of our customers became the victim of a cyber-attack apparently conducted by a nation-state actor. The attack took place shortly before Christmas 2017 and – inter alia – exploited a vulnerability in the ELCARD solution.

Monday, December 18th, evening: the customer contacted the ELCARD team to report abnormal activity related to a user’s remote access point and asked for an investigation. A detailed log inspection revealed an attack pattern taking advantage of a security vulnerability in the ELCARD software. An attacker possessing a valid account login and password for the target system could exploit the vulnerability. The attacker would be able to impersonate the legitimate user by adding a controlled mobile device to the list of valid multi-factor devices. The ELCARD team provided a workaround to the customer 2 hours after the incident was reported to them.

Tuesday, December 19th, morning: a script was elaborated and run to identify potential compromised accounts at other customers. Where needed, we assisted customers in blocking compromised accounts. At the same time a security patch was released to be applied and fix the vulnerability. 18 hours had passed since the reporting of the incident.

Wednesday, December 20th: the patch was installed on every system under ELCA’s control and our entire customer base received a communication concerning the attack and the patch. We provided a comprehensive security advisory, together with the security patch and attack detection script. We also offered individual support whenever needed.

Friday, December 22nd:  MELANI, the Swiss Reporting and Analysis Centre for Information Assurance, relayed ELCA’s security advisory to its constituents, the National Critical Infrastructures. The forensic analysis conducted on the systems hosted by ELCA, and on any customer systems on request, confirmed no other exploit instances.

Next step: In addition to a public statement, a security advisory concerning the bug will be made public once all customers have successfully mitigated the attack by installing the provided patch or applying the recommended workarounds.