Play ransomware leaked 65,000 Swiss government documents, investigation finds

Swiss authorities have found that 65,000 government documents holding classified information and sensitive personal data were leaked following a ransomware attack last year on one of its IT vendors.

Switzerland’s National Cyber Security Centre (NCSC) published a brief analysis of the data stolen during the attack last May — when hackers connected to the Play ransomware gang targeted IT vendor Xplain. The government ordered a review of the incident in August 2023 and on Thursday the NCSC published its initial findings.

In total, the data published on the dark web involved 1.3 million files, and about 5% of that data was connected to the country’s federal government.

The majority of those files belonged to Xplain, and are related to the company’s work with the government, but around 14% were directly from the country’s federal administration.

Nearly all of the government files belonged to administrative units of the Federal Department of Justice and Police (FDJP), including the Federal Office of Justice, Federal Office of Police, State Secretariat for Migration and the internal IT service centre ISC-FDJP, the NCSC said.

“With just over 3% of the data, the Federal Department of Defence, Civil Protection and Sport (DDPS) is slightly affected and the other departments are only marginally affected in terms of volume,” the agency said.

The content of the files included personal data, technical information, classified documents, passwords and more. Names, email addresses, phone numbers and addresses were found in about 4,700 files. More than 250 of the files contained “technical information such as documentation on IT systems, software requirement documents or architectural descriptions.”

The administrative investigation is due to be finished by the end of March, when a report will be sent to the country’s Federal Council.

The Play ransomware group claimed the attack on May 23 and then leaked the files on June 1, which they said consisted of 907 gigabytes of financial and other data.

The FBI said in December that Play ransomware has been responsible for more than 300 successful cyberattacks since June 2022.

When the Play group first emerged in mid-2022, it targeted government entities in Latin America, according to Trend Micro. More recently it drew headlines for a damaging attack on the city of Oakland, which spent weeks recovering from the incident, as well as others involving Stanley Steemer and the organization that runs the transit system for central Virginia.

The group continues to launch dozens of attacks each week on businesses across the world.