Sensitive Swiss federal government data, including classified documents and log in credentials, were leaked by the Play ransomware group following an attack on IT service provider Xplain in 2023.
An investigation by Switzerland’s National Cyber Security Centre (NCSC) revealed that around 65,000 documents relating to the federal government were published by the attackers on the darknet on June 14, 2023.
This comprised 5% of the total data package uploaded by Play. Of these files, 47,413 belonged to Xplain (70%) and 9040 to the Federal Administration (14%).
Xplain is a major IT service provider to national and cantonal authorities in Switzerland.
Sensitive Government Data Leaked by the Hackers
The vast majority (95%) of the 9040 files belonging to the federal government that were leaked came from the following departments:
- The Federal Department of Justice and Police (FDJP)
- The Federal Office of Justice
- Federal Office of Police
- State Secretariat for Migration
- The internal IT service centre ISC-FDJP
Just over 3% of the data came from the Federal Department of Defence, Civil Protection and Sport (DDPS), with the remainder relating to several other agencies.
The Swiss NCSC discovered that personal data, technical information, classified data and passwords were held in 5182 of the files.
Personal data, including names, email addresses, telephone numbers and postal addresses were found in a further 4779 files.
Technical information such as documentation on IT systems, software requirement documents or architectural descriptions was held in 278 files.
Additionally, 121 objects were classified in accordance with the Information Protection Ordinance and 4 objects contained readable passwords.
However, the report did not evaluate the content of the data, or why certain data was leaked.
An administrative investigation is due to be completed by the end of March 2024, after which the Swiss Federal Council will be informed of the results and receive recommendations on how to proceed.
About the Play Ransomware Group
The Play ransomware group is believed to be based in Russia. According to a joint advisory published by the US and Australian governments in December 2023, the group is responsible for around 300 successful attacks from June 2022 to October 2023.
The ransomware gang targets a range of businesses and critical infrastructure in North America, South America and Europe.
Play typically employs a double extortion model, and its initial access techniques range from abuse of valid accounts and exploitation of public-facing applications to using external facing services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN).