In theory, anyone can be affected, from a club or association’s website to an SME’s online shop or even a large corporation’s internet presence. It’s often impossible to say just why someone’s website has become the target of a hack. Attacks are rarely personal attacks against the website operator, but rather are carried out because the targets are particularly vulnerable to an attack. Attackers scour the internet systematically and often automatically for pages with security holes or vulnerabilities. This helps to identify the easiest or most lucrative targets.
Hacking attacks can have potentially fatal consequences. There are cases in which companies have suffered major financial losses, including bankruptcy. In the case of private individuals, attacks can range from public exposure all the way to existential damage.
Not all hacking is the same
First of all, it must be said that the term “hacking” can have different meanings. One “hacker” isn’t necessarily like every other hacker. Public perception is strongly influenced by all-too-frequent popular culture stereotype of the hacker holed up in a basement somewhere in dark clothes, hood and sunglasses, wildly typing away on a keyboard. In reality, hacking culture in the community of programmers and IT specialists is quite complex. For example, there are professional cyber-security hackers who work to uncover vulnerabilities before criminals do (“white hat hackers”).
But we would like to look at the more dubious, criminally motivated hacking that targets websites. Here, too, there are different approaches. Not every hacking attack has the same objective and unfolds in exactly the same way.
In many cases, websites are hacked for the sole purpose of sending spam, launching DDoS attacks (distributed-denial-of-service) or phishing. In other cases, attackers hide malicious software on the website in order to distribute it to unsuspecting website visitors. Unfortunately, hacking that focuses on procuring sensitive data and then reselling it illegally (e.g. via the dark web) is also widespread.
There are also a number of other forms of website hacking. The website may be deliberately altered for propaganda purposes, as a demonstration of power, for fun or other reasons (defacement). This was particularly true in the past, when hacking was not yet criminally monetizable. But this is simply not lucrative for professional organized cybercrime gangs.
The criminal hacking of Swiss websites constitutes at least one of the following three criminal offenses set out in the Swiss Criminal Code (SCC):
- Unauthorized obtaining of data (Art. 143)
- Unauthorized access to a data processing system (Art. 143bis)
- Damage to data (Art. 144bis)
Other criminal offenses, such as fraud (Art. 146 StGB), extortion (Art. 156 StGB) and money laundering (Art. 305bis StGB), are also not uncommon in hacking attacks.
Hacking attacks in Switzerland: The numbers are on the rise
In 2021, the police crime statistics of the Federal Statistical Office recorded a total of 1,950 cases that fell into the category of one of these three criminal offenses and clearly took place in “cyber mode” – i.e. digitally.
|Criminal offense||Total||including a cyber modus||Proportion|
|Unauthorised obtaining of data (Art. 143)||988||713||72.2%|
|Unauthorised access to a data processing system (Art. 143bis)||805||551||68.4%|
|Damage to data (Art. 144bis)||756||686||90.7%|
Number of criminal offenses related to hacking in 2021. Condensed data based on police crime statistics 2021 (source: bfs.admin.ch)
One highly regarded study conducted by the American cyber intelligence firm Recorded Future, commissioned by Beobachter and published in October 2021 (in German), even mentions 4,799 hacking attacks on Swiss IP addresses in the past five years. According to the study, more than half of these cases occurred between August 2020 and August 2021 alone.
However, according to the experts, these were only cases in which data was stolen and then sold on the dark web. When it comes to ransom extortion, many companies simply pay the amount demanded. Such cases are therefore hard to track or estimate in numbers.
In a recent post (in German), the news platform watson.ch published a chronological list of hacking cases that affected Swiss companies and municipalities in 2021. According to watson.ch, there have already been numerous other hacking attacks on companies and authorities in Switzerland this year.
What do the attackers want and how do they go about getting it?
But what are the attackers’ goals when they attack a website? The goal when spreading malware or phishing is to keep the hacking attack from being noticed for as long as possible in order to do as much damage as possible. Smaller websites are suitable targets for attacks because they often have fewer or weaker security measures in place, attacks are less conspicuous and criminal activities remain undetected for longer. This often involves installing “web shells” on the hacked websites, frequently allowing attackers to go unnoticed and gain access to all sorts of systems in the victim’s network for extended periods of time.
Unfortunately, outdated plug-ins or themes are quite frequently exploited as entry points. If these plug-ins and themes are not regularly updated, they can sometimes offer a perfect gateway for attackers. But plug-ins and themes aren’t the only critical elements. In rare cases, even an outdated core version of the content management system (CMS) can create the vulnerability if security-relevant updates are not installed or the outdated versions remain on the web servers as would-be backups.
What are the authorities doing about it?
In the case of cyberattacks such as hacking, law enforcement often faces major hurdles, as it is often very difficult to track down the attackers. However, many police forces and federal authorities have specialized cybercrime departments and actively and meticulously investigate suspected cases.
The National Cyber Security Centre (NCSC) serves as the federal government’s point of contact and competence center for cybersecurity. The NCSC – formerly known as MELANI – is responsible for implementing the National strategy for the protection of Switzerland against cyber risks.
The Federal Council recently began consultation proceedings that include plans for a legal duty to report cyberattacks. According to the draft law, cyberattacks that have significant potential for damage should be reported to the NCSC. The federal government has also committed itself to providing support. The NCSC exists to inform and raise public awareness of threats and, where necessary, assist affected operators of critical infrastructures in combating cyberattacks.
The best protection against hacking is regular updates and maintenance
Public awareness of cybercrime and hacking in particular has certainly increased in recent years, and internet users are fortunately becoming increasingly cautious. Unfortunately though, all too often users themselves must fall victim to an attack before they become aware of the real threat. In addition, there are still many website operators, webmasters, web designers and web agencies with a false sense of security. Once they are done building their new website, many people subsequently neglect the issue of maintenance and security. However, you should be aware of your own website’s security from day one.
You can find helpful information and tips on how to prevent hacking attacks on your website in the first part of our series of articles on the topic or in our Support Center and on the websites of the National Cyber Security Centre (NCSC), the Swiss Crime Prevention (SKP) or the Swiss Internet Security Alliance (iBarry).
You can report hacking incidents via the NCSC by going to the following web address: https://www.report.ncsc.admin.ch/en/