Three criminals working to deploy ransomware on a computer.

Swiss Government Hit By Play Ransomware: 65000 Sensitive Documents Leaked

The Swiss IT service company Xplain suffered a breach, resulting in the exposure of leaked data. The Swiss National Centre for Cybersecurity (NCSC) released this information in a press release. The Federal Office for Cybersecurity (BACS) engaged in the investigation.

Swiss technology and software solutions company Xplain provides services to the military, government agencies, and administrative divisions. The Play ransomware group hacked the firm on May 23, 2023.

The National Cyber Security Centre (NCSC) issued a summary of the data breach that happened in May. During this cyberattack, hackers from the Play ransomware group exclusively targeted IT firm Xplain.

The threat actor claimed to have obtained documents with sensitive information at the time. They executed on their threats in early June 2023, releasing the stolen data on their darknet portal. The Play ransomware group released approximately 65,000 documents from the federal government, including classified files and login details.

The government launched a comprehensive review in August 2023 in response to the failure. On February 7, 2024, the NCSC announced its preliminary results. Approximately five percent of the 1.3 million files available on the dark web connected to the federal government. Xplain owned this data, primarily linked to the government projects the company worked on.

The administrative branches of the Federal Department of Justice and Police (FDJP) are the focus of about 95% of these documents. Some of these units include the State Secretariat for Migration, the Federal Office of Justice, the Federal Office of Police, and the internal IT service centre ISC-FDJP.

According to NCSC:

With just over 3% of the data, the Federal Department of Defence, Civil Protection and Sport (DDPS) is slightly affected and the other departments are only marginally affected in terms of volume.

The files contained a wide range of sensitive information, such as personal information, technical documentation, confidential documents, and passwords. Approximately 4,700 files contained personally identifiable information, including names, email addresses, phone numbers, and addresses.

Additionally, approximately 250 files contained technical information such as IT system documentation, software requirements, and architectural specifications.

According to CISA report, the Play ransomware organisation, based in Russia, has successfully carried out some 300 attacks against vital infrastructure and businesses. The attacks happened between June 2022 and October 2023 in North America, South America, and Europe. They gain unauthorised access to external services like RDP and VPN by using a double extortion strategy.

The NCSC shared an explanation:

A considerable amount of analysis was required to determine how much data was leaked and the owners of the leaked data. The various federal offices and service providers involved worked closely under the lead of the NCSC to manage the security incident. This allowed all parties to utilise synergies, make effective use of resources, and save valuable time.

Although the investigation is still underway, an outcome is expected this month. Regardless of how Swiss authorities respond to the investigation, it is a classic illustration of data impact, especially when a ransomware attack hits one of its providers, particularly an IT services company like Xplain.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial

Recent posts