In a significant data breach incident, sensitive Swiss federal government data, including classified documents and login credentials, were leaked by the Play ransomware group after an attack on IT service provider Xplain in 2023.

The investigation conducted by Switzerland’s National Cyber Security Centre (NCSC) uncovered that approximately 65,000 documents pertaining to the federal government were made public by the attackers on the darknet on June 14, 2023. This leak consisted of 5% of the total data package uploaded by Play, with 47,413 files belonging to Xplain (70%) and 9,040 files to the Federal Administration (14%).

Xplain plays a vital role as an IT service provider to national and cantonal authorities in Switzerland. The leak revealed that the majority (95%) of the 9,040 files from the federal government that were exposed originated from various departments including The Federal Department of Justice and Police (FDJP), The Federal Office of Justice, Federal Office of Police, State Secretariat for Migration, and the internal IT service centre ISC-FDJP. A small portion of the data was sourced from the Federal Department of Defence, Civil Protection and Sport (DDPS) and other agencies.

The Swiss NCSC’s analysis of the leaked data detected personal information, technical details, classified data, and passwords in 5,182 files. Personal data like names, email addresses, phone numbers, and postal addresses were found in 4,779 files, while technical information on IT systems and software requirements was present in 278 files. Moreover, 121 objects were classified according to the Information Protection Ordinance, and 4 objects contained readable passwords.

It is important to note that the report did not delve into the content of the leaked data or the reason behind the specific data being exposed. An administrative investigation is scheduled to conclude by the end of March 2024, following which the Swiss Federal Council will be briefed on the findings and provided with recommendations on the next steps to take.

The Play ransomware group responsible for this breach is believed to operate out of Russia. A joint advisory released by the US and Australian governments in December 2023 highlighted that the group has carried out approximately 300 successful attacks between June 2022 and October 2023. Play targets businesses and critical infrastructure in North America, South America, and Europe through a double extortion model, using various techniques to gain initial access including abusing valid accounts, exploiting public-facing applications, and utilizing services like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN).

Overall, the leak of sensitive government data underscores the ongoing threat posed by cybercriminals and the importance of robust cybersecurity measures to safeguard critical information and infrastructure.

Source link