Swiss administration reports cyberattack

Swiss authorities are conducting an investigation into a cyberattack on the IT company Xplain, which provides IT solutions for homeland security and serves various federal and cantonal government departments, including the army and customs.

The attack came to light after the newspaper Le Temps reported that several cantonal police forces, the Swiss army, and the Federal Office of Police (Fedpol) were indirectly affected.

According to Xplain the cyberattack was carried out by the PLAY ransomware group. Some of the stolen data has been published by the attackers and the affected customers are notified and advised.

In response to the incident, Xplain has engaged the National Cyber Security Centre, and investigations are currently underway. Xplain has not made any contact with the PLAY group and will not pay any ransom demanded by them. The full extent of the data theft is still unknown, but Xplain stated that it does not store the applications and data itself, as it primarily offers online applications to its customers.

Update - as of 10th June 2023 Swiss government data may have been posted on the dark web. Xplain says it has no plans to pay the demanded ransom.

As of 7th of March 2024 the ransomware gang Play leaked of 65,000 Swiss government documents containing classified and sensitive information on the dark web, most belonging to Xplain ,but also a significant portion belonging to the Federal Department of Justice and Policy. Of the files, 47,413 belonged to Xplain (70%) and 9040 to the Federal Administration (14%).

Personal data, technical information, classified data and passwords were held in 5182 of the files:

• Personal data, including names, email addresses, telephone numbers and postal addresses were found in 4779 files.
• Technical information such as documentation on IT systems, software requirement documents or architectural descriptions was held in 278 files.
• At least 121 objects were classified in accordance with the Information Protection Ordinance and 4 objects contained readable passwords.

The Federal Office of Customs and Border Security confirmed that elements of correspondence with Xplain were affected by the cyberattack. However, they clarified that their own data remains unaffected. The Swiss army, which has been using Xplain's software solution for several years, stated that the incident does not impact their operations as the software is operated through the Confederation's own servers.

The Swiss civil authorities have initiated a criminal procedure in response to the cyberattack. The Federal Police have stated that their projects are not affected based on the current information available.