Whoever uses the same password more than once, helps attackers

Berne, 08.11.2018 - The 27th semi-annual report of the Reporting and Analysis Centre for Information Assurance (MELANI), published on 8 November 2018, addresses the most important cyber incidents of the first half of 2018 both in Switzerland and abroad. The key topic is dedicated to the vulnerabilities in hardware. The focus is also on targeted malware attacks, for which the name of the Spiez Laboratory was misused, as well as various data leaks and the problem of multiple use of a password.

Vulnerabilities in hardware components represent a particular type of threat. These vulnerabilities cannot be remedied with a simple update, as is possible with software vulnerabilities. Moreover, a complete replacement of hardware components would present manufacturers with major logistical problems. The focus of this semi-annual report deals with the particular challenges posed by hardware vulnerabilities.

The problem of passwords used more than once on the internet

Many users still use the same password for several online services such as webmail, e-banking and online shops. This is a welcome simplification for criminals and enables them to systematically use the collected login data from the various data leaks from a wide range of internet service providers. In one case, attackers attempted to log into the user accounts of an online portal with almost one million such stolen login combinations compiled from various sources.

Misuse of Spiez Laboratory for espionage campaign

In the summer of 2018, the name of the Spiez Laboratory was misused to plan an espionage attack against third parties. The attackers used a document published on the internet with which the Spiez Laboratory had sent out invitations to an international conference. This was copied, infected with malware and sent to the victims. The Spiez Laboratory itself was not attacked.

The use of data in attacks

Unwanted data leaks are occurring more and more frequently. Switzerland is not spared from this either. Cyber criminals are very diverse and innovative in the use of such data. A direct way to make money out of data leaks is to blackmail the company directly where the data leak occurred. Personalised emails can also be generated with stolen data, which significantly increase the success rate of phishing emails compared to mass emails. It is therefore to be expected that criminals will increasingly choose this approach in the future.

Address for enquiries

Max Klaus, Deputy Head of the Reporting and Analysis Centre for Information Assurance MELANI, Federal IT Steering Unit FITSU
Tel. 058 463 45 07


Federal IT Steering Unit (ab 01.01.2021: Digitale Transformation und IKT-Lenkung)

General Secretariat DDPS