Hacker hands at keyboard showing data breach of Swiss government

Xplain Data Breach Hackers Leaked 65,000 Swiss Government Files

An inquiry into the May 2023 Xplain data breach found that 5% or 65,000 of the 1.3 million files the Play ransomware gang leaked were relevant to the Swiss government.

The Play ransomware gang claimed it stole 907 gigabytes of sensitive documents, including financial records and other files.

On June 1, 2023, the cybergang dumped the entire trove on its darknet data leak site after failing to extort Xplain, a Swiss software solutions company that works with various government agencies.

Immediately, the Federal government admitted that the leaked files contained sensitive information and ordered an administrative investigation on August 23, 2023, of which the National Cyber Security Centre (NCSC) of Switzerland published these preliminary findings.

Xplain data breach leaked over 65,000 Swiss government documents

The probe analyzed 1.3 million files published by the Play ransomware gang following the Xplain data breach and found that 5% or 65,000 files were relevant to the Federal government.

However, most files leaked “belonged to Xplain (47,413) with a share of over 70%; around 14% (9,040) belonged to the Federal Administration,” NCSC said.

Most (95%) of the leaked Swiss government files belonged to the administrative units of the Federal Department of Justice and Police, including the Federal Office of Justice, the Federal Office of Police, the State Secretariat for Migration, and the IT service center ISC-FDJP.

Another 3% of files exfiltrated during the Xplain ransomware attack affected the Federal Department of Defence, Civil Protection and Sport (DDPS), while other departments were “only marginally affected.”

Xplain data breach leaked sensitive personal and technical information

The NCSC found that over half (5,182) of the Swiss government files leaked after the Xplain data breach contained personal data, technical information, classified information, and account passwords.

Personal details, including names, email addresses, telephone numbers, and physical addresses, were present in 4,779 Swiss government files leaked in the Xplain data breach. Individuals whose personal information was leaked are at risk of targeted phishing attacks.

Of the 5,182 files, 278 contained “technical information such as documentation on IT systems, software requirement documents or architectural descriptions.” When leaked, this information could help threat actors plan future cyber attacks.

Another 121 files were classified according to the Information Protection Ordinance, meaning their contents could not be disclosed, while 4 had readable passwords. Compromised passwords are among the most prevalent initial access methods that threat actors, including Play ransomware, exploit to breach organizations.

While these findings are insightful, the Swiss government did not disclose the attack vector exploited in the Xplain data breach. However, the group exploits software vulnerabilities, remote desktop protocols (RDPs), virtual private networks (VPNs), and valid accounts to gain access.

The NCSC said a comprehensive analysis will conclude in late March 2024, and a conclusive report with detailed findings and recommendations will be shared with the Federal Council.

The cybersecurity agency also disclosed that the analysis team faced numerous challenges while analyzing the leaked files due to their unstructured nature, the sheer volume of data, and complex legal requirements that demanded inter-agency cooperation.

“Suitable tools were required to process unstructured data records and make their contents readable,” NCSC said. “The objects identified as relevant then had to be manually viewed and categorized.”

The Swiss government is among over 300 public and private organizations and critical infrastructure entities in North America, South America, and Europe targeted by Play ransomware (or Playcrypt) between June 2022 and October 2023, according to a joint cybersecurity advisory by the United States and Australia.

In mid-2022, the Play ransomware gang targeted government entities in Latin America and was attributed to the ransomware attack on the City of Oakland that leaked 600 gigabytes of data.

On April 24, 2023, the group also took credit for the ransomware attacks on Lowell, a city of over 100,000 inhabitants in Massachusetts, and Dallas County, Texas.