Cyberthreat level remains high – attacks becoming more targeted and complex

The semi-annual report published today by the NCSC reveals that threat actors operating on a global scale are increasingly tailoring their attacks, in some cases using artificial intelligence (AI). During the second half of 2025, the NCSC once again observed widespread voice phishing ('vishing') and real-time phishing campaigns. Cybercriminals combined these with fraudulent search engine advertisements to direct victims to fake websites. In many cases, the perpetrators exploit Swiss-specific features – for example by using well-known loyalty programmes run by major retailers as a pretext. From summer 2025 onwards, ‘SMS blasters’ were also observed in Switzerland for the first time. These devices simulate mobile network antennas, enabling attackers to bypass the filtering systems used by telecommunications providers and send malicious text messages directly to nearby mobile phones.

Ransomware remains a constant threat

Ransomware and the associated extortion of data continue to pose a serious threat to Swiss organisations. A total of 57 such incidents were reported in the second half of 2025. The group Akira stood out in particular, with its activities intensifying further during the reporting period. One key factor was the exploitation of vulnerabilities in SonicWall-manufactured devices. Security updates addressing a vulnerability that had already been disclosed in 2024 were not consistently implemented by all affected organisations, creating additional opportunities for attack.

Attacks on international software supply chains

During the reporting period, attacks targeting international software supply chains were observed more frequently. In addition to exploiting vulnerabilities, cybercriminals increasingly compromised widely used and established components of open-source software (OSS). As modern applications rely on numerous OSS components, vulnerabilities in these components can have wide-ranging and systemic consequences. These complex technical dependencies significantly increase the risk of large-scale security incidents.

Covert ORB networks also identified in Switzerland

Covert Operational Relay Box (ORB) networks are also increasingly being identified in Switzerland. These networks consist of internet-connected devices infected with malware, including Internet of Things (IoT) devices, servers, and routers, which are remotely controlled by attackers. In some cases, they are rented out to third parties. Such infrastructures serve as launching points for further attacks and undermine the privacy of the affected owners. Consistently updating and securing devices exposed to the internet is essential to prevent the formation of such networks.

145 reportable incidents in the second half of 2025

Since 1 April 2025, operators of critical infrastructure have been required to report cyberattacks to the NCSC within 24 hours. Since then, the NCSC has received 325 reports, 145 of which were received in the second half of 2025. Most reports came from the public administration sector (25%), companies in the IT and telecommunications sector (18%), and banks and insurance companies (15.7%). The most common reported types of attack were hacking incidents (20%) and DDoS attacks (16%), followed by the theft of access credentials (12%), malware (10%), data exfiltration (10%), and ransomware (9%).

Increasing focus on digital dependencies

Analysis of the incidents clearly shows that cyberattacks exploit digital dependencies and cross organisational, sectoral and national boundaries. Cybersecurity is therefore a matter that concerns society as a whole. Despite an increasingly tense geopolitical environment, the overall cyberthreat level for Switzerland remains relatively stable, and cyber resilience can largely be considered robust. Clear governance structures, effective response and recovery processes, and close national and international cooperation between government, business and society are essential to respond effectively to this dynamic situation.