Play ransomware attack on Xplain compromised classified Swiss government records

A major ransomware attack on Swiss IT firm Xplain in 2023 compromised thousands of Swiss federal government records, including records belonging to the justice, police and defence departments.

 

In May last year, Xplain experienced a significant cyber attack that affected services provided to Switzerland’s police forces, the Swiss army, and the Federal Office of Police (Fedpol). The IT services company provides data-driven marketing and strategic advisory services to the federal government and many of its agencies. 

 

On 23rd May, the notorious Play ransomware group claimed responsibility for the cyber attack on Xplain and listed the company as a victim on its data leak site. On 1st June, the group leaked the stolen data which, it claimed, contained around 907 GB of financial data and other information.

 

Following the ransomware group’s claims, the National Cyber Security Center Switzerland (NCSCS) said, “Based on the information currently available, it appears that operational data of the Federal Administration could also be affected by the ransomware attack on the IT company Xplain, which resulted in some of the stolen data being published on the darknet.

 

“Contrary to the initial findings and following recent in-depth clarifications, it has to be assumed that operational data could also be affected. Based on the information currently available, the Federal Administration does not believe that the Xplain systems have direct access to the Confederation’s systems,” NCSCS added.

 

In a recent statement, NCSCS said that the ransomware attack on Xplain compromised “classified information and sensitive personal data from the Federal Administration. The National Cyber Security Centre led the incident response, defined measures to restore the security of the systems and carried out a comprehensive analysis of the published data.”

 

“The data package published on the darknet comprised around 1.3 million files. Once the data had been downloaded, the NCSC took the lead in systematically categorising and triaging all documents relevant to the Federal Administration. The results showed that the volume of data relevant to the Federal Administration comprised around 65,000 documents, or approximately 5% of the total published data set.

 

NCSCS said a majority of stolen files were internal Xplain documents, but the stolen data dump also included over 9,000 files belonging to the Federal Administration. As much as 95% of these files belonged to the administrative units of the Federal Department of Justice and Police which includes the Federal Office of Justice, Federal Office of Police, State Secretariat for Migration and the internal IT service centre ISC-FDJP.

“With just over 3% of the data, the Federal Department of Defence, Civil Protection and Sport (DDPS) is slightly affected and the other departments are only marginally affected in terms of volume,” the cyber security agency said.

 

The agency added that 5,182 Federal Administration files identified in the compromised data dump contained personal data, technical information, classified information and passwords. Of these, 4,779 files contained sensitive personal information of individuals, including their names, email addresses, telephone numbers and postal addresses.

 

“In addition, 278 files contained technical information such as documentation on IT systems, software requirement documents or architectural descriptions, 121 objects were classified in accordance with the Information Protection Ordinance and 4 objects contained readable pass-words,” the agency explained.

 

NCSCS said that it expects to complete its investigation by the end of March, following which a report, along with all its findings, will be sent to the Swiss Federal Council.