When Defense in Depth Fails: The RUAG-Akira Incident and What It Reveals About Cybersecurity's Most Dangerous Assumption

A Swiss Defense Contractor Pays Ransom. The Question Is Not Whether It Should Have — It Is How Akira Got In.

Analysis | June 2026

The Incident

On June 7, 2026, Switzerland woke up to an uncomfortable headline: RUAG, the Swiss federal defense technology company and one of the country's most strategically sensitive enterprises, had paid a ransom to a criminal hacking group. The admission came from Jürg Rötheli, chairman of RUAG's Board of Directors, speaking on Swiss public radio SRF's Samstagsrundschau. "We paid a small amount and fortunately got all the data back," Rötheli said, declining to specify the exact figure. Reports in Swiss IT trade publications subsequently identified the payment as a figure in the low six-digit range, denominated in what remains undisclosed — likely cryptocurrency.

The payment directly contradicted official Swiss government guidance. The Federal Office for Cybersecurity (FOCBS) generally advises against paying ransoms to cyber criminals, warning that such payments encourage further attacks and contribute to the financing of criminal activities. The Swiss Department of Defense (VBS) declined to comment but confirmed it had not been informed of the payment in advance.

The political fallout was immediate. SVP National Councillor and IT entrepreneur Mauro Tuena described the decision as devastating: the Akira group now knows that the Swiss Confederation is willing to pay, which sends a catastrophic signal. RUAG, for its part, defended the decision, arguing that it was correct because all data was recovered and damages were minimized.

Both positions are coherent. Both also miss the more important question: how did Akira get in?

The Target: What RUAG Is, and Why It Matters

RUAG is not a conventional defense company. It is wholly owned by the Swiss Confederation and operates as both an industrial maintenance provider and a supplier to the Swiss Armed Forces. Its subsidiary Mecanex USA — formally registered as RUAG LLC in the state of Virginia — employs a small team whose function is to manage communication with American institutions, suppliers, and partner companies. That footprint is small in headcount but enormous in sensitivity: RUAG's broader operations encompass maintenance and overhaul of military aircraft, armaments, electronic warfare systems, and space technology.

This matters because of what Akira reportedly exfiltrated. The perpetrators stated on the darknet that they copied approximately 24 gigabytes of data, said to contain social security numbers, IDs, driver's licenses, phone numbers, and addresses of employees. In addition, secret military information as well as contracts and instructions for handling explosives are reportedly included.

The breach is not, therefore, merely a corporate IT incident. It involves potential exposure of classified defense procurement documentation, personnel data of individuals with security clearances, and technical materials whose dissemination could have operational security implications for both Switzerland and its US defense relationships. Whether Akira — a financially motivated criminal group — chooses to weaponize or sell that information to state actors is a second-order risk that RUAG's ransom payment does not eliminate.

Critically, this is not RUAG's first serious cyber incident. In 2017, Federal Councillor Guy Parmelin issued a cyber defense action plan specifically in response to a cyber attack on RUAG, creating the Swiss Cyber-Defence Campus to improve national cyber defenses. That prior breach involved suspected Russian state-sponsored actors and lasted for years undetected. The fact that RUAG was struck again — via a subsidiary's VPN infrastructure — raises systemic questions about whether post-2016 reforms were applied consistently across the entire corporate perimeter, including overseas subsidiaries.

The Attacker: Who Is Akira?

The Akira ransomware group emerged publicly in 2023 and has since grown into one of the most technically capable and operationally aggressive threat actors in the ransomware ecosystem. The criminal organization uses its ransomware to encrypt victims' data and does not limit itself, like many other groups, to merely stealing data and extorting ransom for non-publication — it actually encrypts, making recovery without a decryption key impossible. This "double extortion" model — steal, then encrypt, then demand — is designed to foreclose all paths to recovery except payment or surrender of the data.

By late October 2024, the Federal Office for Civil Protection reported that 200 companies in Switzerland had already fallen victim to Akira ransomware, with damage across the country already amounting to several million Swiss francs. The Swiss Federal Prosecutor's Office had been conducting criminal proceedings against persons unknown since April 2024.

Akira's global victimology is broad. The group has compromised healthcare systems, manufacturing firms, legal services companies, and now defense contractors across North America and Europe. The connection to the RUAG LLC breach was announced on Akira's darknet blog in early November 2025 — the standard public pressure tactic used to accelerate ransom payment by threatening imminent data publication.

The Attack Vector: How Akira Defeats Defense in Depth

This is where the technical analysis becomes significant — and where the RUAG incident illuminates a broader systemic problem in enterprise cybersecurity architecture.

The SonicWall Vulnerability Chain

Most recently, Akira was observed at the end of 2025 pushing ransomware onto SonicWall firewalls, despite multi-factor authentication being enabled. This detail is not incidental — it describes the precise attack vector that security researchers had been tracking since July 2025 and that appears consistent with the timeline of the Mecanex USA breach in early November 2025.

The attack chain works as follows:

Since July 2025, Akira ransomware has exploited SonicWall SSL VPNs, likely using credentials obtained from the exploitation of CVE-2024-40766, which enables malicious logins and firewall crashes. Crucially, threat actors successfully bypassed accounts with one-time password (OTP) multi-factor authentication functionality enabled.

Arctic Wolf Labs first detected the surge in late July 2025, when they observed suspicious login activity on SonicWall SSL VPNs followed almost immediately by internal network scanning and ransomware deployment. The campaign spanned multiple industry sectors and organization sizes, suggesting opportunistic mass exploitation.

The speed of the attack is staggering. Malicious VPN logins were followed within minutes by port scanning, Impacket SMB activity — used for lateral movement across Windows networks — and rapid deployment of Akira ransomware. Some encryption ran in as little as 55 minutes; most intrusions reached full encryption in under four hours.

Before deploying ransomware, attackers staged data by collecting selected files — Office documents, database exports — using WinRAR with parameters filtering and archiving only targeted file types. Threat actors then transferred the archives using rclone or SFTP, typically via FileZilla.

This is a highly disciplined, professionally organized kill chain. There is no dwell time for defenders to exploit. The window between initial access and full encryption closes in hours.

Defense in Depth: What It Promises and What It Delivered

RUAG, as a Swiss federal defense contractor operating in the United States, operates under multiple overlapping cybersecurity frameworks. These include:

ISO/IEC 27001 — the internationally recognized Information Security Management System standard, almost certainly required for a federal defense supplier. ISO 27001 mandates a structured ISMS encompassing risk assessment, access control, asset management, and incident response.

NIST Cybersecurity Framework (CSF) 2.0 — the primary framework for US government contractors. The NIST CSF structures protective measures across five core functions: Identify, Protect, Detect, Respond, and Recover, reinforcing a layered security approach. For a US subsidiary communicating with American military institutions, NIST CSF alignment is effectively mandatory.

CMMC (Cybersecurity Maturity Model Certification) — required for organizations working with the US Department of Defense. Organizations must implement controls that actively protect systems and demonstrate they are enforced consistently across endpoints, users, and environments. RUAG LLC's function — maintaining communication with American defense institutions — would place it firmly within CMMC scope.

Defense in Depth (DiD) — defined by the NSA and DoD as an information security strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. The principle holds that no single control can be relied upon; multiple overlapping layers mean that the failure of one does not mean systemic compromise.

Defense in Depth, correctly implemented, should have caught Akira. So how did it fail?

How Defense in Depth Went Wrong: Seven Failure Modes

The RUAG incident illustrates a set of failure modes that are disturbingly common across organizations that have, on paper, sophisticated cybersecurity architectures.

1. The Perimeter Device as the First and Last Line of Defense

The most damaging assumption in enterprise security is that a hardened perimeter device — in this case, a SonicWall SSL VPN appliance — constitutes sufficient boundary protection. SonicWall devices are widely deployed and generally well-regarded. But despite SonicWall releasing updates to harden against brute force and MFA attacks, intrusions continued even on patched devices. CVE-2024-40766 — the vulnerability that enabled credential harvesting — had existed in the wild for months before the RUAG breach.

The Defense in Depth principle explicitly holds that perimeter controls should be one layer, not the only layer. When attackers bypass the perimeter via a legitimate-looking VPN login, everything behind that perimeter — if insufficiently segmented — becomes accessible.

2. MFA That Is Not Actually Multi-Factor

RUAG's SonicWall appliance had MFA enabled. Akira bypassed it anyway. Attackers demonstrated an unsettling ability to bypass one-time password multi-factor authentication, moving laterally through compromised networks in minutes. The exact mechanism — whether session token theft, SIM-swapping of mobile OTP delivery, credential stuffing from prior breach data, or exploitation of an authentication bypass — was not publicly disclosed. But the outcome is clear: MFA configured as a VPN gateway control, without deeper verification mechanisms, did not hold.

This exposes a critical gap in how organizations implement MFA. Checking a one-time password at the VPN gateway is not the same as continuous authentication verification throughout a session. Once inside the VPN tunnel, Akira operated freely. A zero-trust architecture — which requires re-authentication and authorization for every resource access, not just network entry — would have constrained lateral movement even after VPN bypass.

3. Flat or Insufficiently Segmented Networks

Malicious logins were followed within minutes by port scanning and Impacket SMB activity. Impacket is an open-source toolkit for programmatic interaction with network protocols — a standard offensive tool for lateral movement in Windows domain environments. The speed with which Akira moved from VPN access to domain-wide scanning implies that the internal network at Mecanex USA was either flat (all resources on a single network segment) or insufficiently micro-segmented.

Proper Defense in Depth mandates network segmentation: separating sensitive systems (document repositories containing defense contracts, personnel databases, explosive handling instructions) from general office infrastructure, with enforced access controls between segments. If Akira could reach 24 GB of sensitive data from a VPN entry point, the data was not adequately segregated from general network access.

4. Subsidiary Security as a Blind Spot

RUAG's parent company confirmed that the breach was isolated to RUAG LLC and did not affect Swiss systems. This containment is a genuine Defense in Depth success — the segmentation between the US subsidiary and the Swiss parent held. But the breach of the subsidiary itself reflects a chronic problem in multinational organizations: subsidiaries are frequently held to lower security standards than headquarters.

RUAG LLC employs eight people in Virginia. It is small, operationally dependent on the parent, and unlikely to have had a dedicated CISO or independent cybersecurity function. Its IT infrastructure — including the SonicWall appliance — may not have been subject to the same rigorous patch management, configuration review, and penetration testing as the Swiss parent's systems. The weakest link in any organization's security chain is often its smallest, least-scrutinized entity.

5. Patch Management Latency

Akira exploited credentials likely obtained from CVE-2024-40766 — a vulnerability that enables malicious logins and firewall crashes. This CVE was assigned and disclosed in 2024. The RUAG breach occurred in November 2025 — over a year after the vulnerability was publicly known. If the Mecanex USA SonicWall appliance was running firmware vulnerable to CVE-2024-40766 at the time of compromise, this represents a patch management failure of extraordinary duration for a defense contractor.

The Defense in Depth framework explicitly includes vulnerability management as a core control. NIST CSF's "Protect" function requires timely application of patches to known vulnerabilities. CMMC Level 2 mandates systematic vulnerability remediation. That a VPN appliance serving a US defense-connected subsidiary remained unpatched against a known critical vulnerability a year after disclosure represents either a governance failure or a visibility gap — the subsidiary's devices were not included in the parent company's vulnerability scanning program.

6. Detection and Response Velocity

From unauthorized VPN access to full data exfiltration and ransomware deployment, Akira's intrusions completed in four hours or less. This places extraordinary demands on detection and response capabilities. NIST CSF's "Detect" function requires continuous monitoring sufficient to identify anomalous behavior; the "Respond" function requires the capacity to contain incidents before they reach destructive stages.

A four-hour window demands automated detection and automated containment. Human-in-the-loop SOC processes — where an analyst reviews an alert, escalates to a team lead, convenes an incident response call, and authorizes isolation — cannot keep pace with an attack that completes in the time it takes to have that call. The absence of automated network isolation triggered by anomalous port scanning and SMB activity appears to have allowed Akira to move from initial access to data exfiltration without interruption.

7. The Ransom Payment Decision: What It Reveals

RUAG's decision to pay — described by its chairman as recovering "all the data" — contains an important and dangerous assumption: that the decryption key provided after payment is genuine and that no copies of the exfiltrated data were retained. Neither is guaranteed. Ransomware groups routinely retain copies of stolen data regardless of payment; the ransom covers the decryption key and (nominally) the promise not to publish. Whether Akira honors that promise — and whether the 24 GB of sensitive defense and personnel data now sits in a secondary archive accessible to state-sponsored buyers — is entirely outside RUAG's control.

The political signal is equally damaging. The Akira group now knows the Swiss Confederation is willing to pay, making every other Swiss federal entity — and potentially every other NATO-adjacent defense supplier — a more attractive target.

What a Resilient Architecture Would Have Required

The RUAG incident is not evidence that Defense in Depth is a failed concept. It is evidence of Defense in Depth implemented without its most critical properties: breadth (covering all entities including subsidiaries), depth (multiple independent controls at each layer), velocity (automated detection and response), and testing (regular red team exercises validating that the architecture performs as designed).

A resilient architecture for RUAG LLC would have required:

Zero-Trust Network Access (ZTNA) replacing VPN-based perimeter authentication. ZTNA validates identity, device health, and context for every resource request — not just at network entry. Even with VPN bypass, an attacker would face per-resource re-authentication barriers.

Endpoint Detection and Response (EDR) with behavioral analytics, capable of flagging Impacket SMB activity and anomalous file archiving (WinRAR with command-line parameters harvesting specific file types) as malicious even without a signature match.

Immutable, air-gapped backups of sensitive data, ensuring that even total encryption of production systems does not eliminate data recovery options — removing the leverage that makes ransomware payments rational.

Micro-segmentation of sensitive document repositories and personnel data, requiring explicit authorization for any user or process to access materials designated as sensitive defense information.

Continuous vulnerability scanning covering all entities within the corporate perimeter, including overseas subsidiaries, with automated escalation for unpatched critical CVEs.

Subsidiary security parity requirements embedded in RUAG's group-wide Information Security Management System, ensuring that RUAG LLC's eight-person Virginia office was held to the same patch cadence and control requirements as Bern headquarters.

The Systemic Lesson

The RUAG-Akira incident is not an outlier. It is a template. Defense contractors across Europe and North America are discovering that their primary perimeters — however robustly designed — are compromised at the subsidiary, the third-party supplier, the remote worker's VPN client, the legacy appliance that never got the update. Akira's SonicWall campaign was, by Arctic Wolf's assessment, opportunistic mass exploitation — the group was not specifically targeting RUAG. Mecanex USA's vulnerable VPN gateway was one of hundreds or thousands swept up in a broad campaign.

That is the nature of the modern threat environment. Attacks are not targeted; they are at-scale. The perimeter device that shipped with a configuration vulnerability and was never patched is a door left open in a neighborhood where automated burglars test every door every night.

Defense in Depth was designed for exactly this environment. The tragedy of RUAG is not that the framework failed — it is that the framework was never fully deployed.

Sources: Heise Online; SWI Swissinfo; Swiss IT Magazine; RUAG Official Statement, November 4, 2025; Arctic Wolf Labs Advisory, September 2025; LogPoint Analysis; Help Net Security; BankInfoSecurity; Bitsight; Wikipedia — Cyber-Defence Campus; NIST Cybersecurity Framework 2.0; ThreatLocker Cybersecurity Frameworks Analysis.