Switzerland warns that a ransomware gang may have accessed government data

The Swiss government warned citizens that operational data may have been accessed by ransomware actors during a recent attack on an IT company.

On May 23, the Play ransomware group claimed it attacked Xplain – a Swiss IT firm providing services to several federal agencies in the country. The ransomware group leaked the files it stole from the company on June 1, which it claimed included 907 GB of financial and other data.

Xplain did not respond to requests for comment but a spokesperson for Switzerland's National Center for Cybersecurity directed Recorded Future News to a lengthy statement published on Friday providing information about the incident.

“Based on the information currently available, it appears that operational data of the Federal Administration could also be affected by the ransomware attack on the IT company Xplain, which resulted in some of the stolen data being published on the darknet,” the government said.

Switzerland’s Federal Administration is still determining which agencies and units were affected by the attack on Xplain. The statement said operational data, which is used by arms of the government for various work purposes, should be assumed to have been included in the data stolen.

The Swiss Army and the country’s customs department are both customers of Xplain.

They did not provide more detailed information on what kind of data was involved and whether it included the personal information of citizens or government employees.

“Xplain, a Swiss provider of government software, has been the victim of a ransomware attack. After the stolen data had been encrypted and the company blackmailed, the attackers posted some of the stolen data on the darknet. Xplain notified the National Cybersecurity Centre (NCSC) of the cyber incident and reported the criminal offense to the Bern Cantonal Police,” the government said in a statement.

“Xplain's clients also include various administrative units of the Federal Administration. Clarifications are currently underway to determine the specific units and data concerned. Based on the information currently available, the Federal Administration does not believe that the Xplain systems have direct access to the Confederation's systems.”

The NCSC is working with Xplain and prosecutors on the case. They noted that there is currently no evidence that the hackers attempted to access federal systems during their attack on Xplain.

The cybersecurity agency also addressed criticism of its decision to allow multiple agencies to use the same IT provider, arguing that “certain risk concentration is offset by improved cost-effectiveness.”

“Furthermore, it is important to bear in mind that we do not have countless companies that can provide the required goods/services. Finally, it should be noted that the use of several suppliers also leads to additional interfaces and exchanges of data, which in turn can increase the risk of a security incident,” they said.

The government also denied that Xplain’s ransomware incident was connected to the recent distributed denial-of-service (DDoS) attack on the country’s parliament, explaining that the hacking group NoName took credit for it on Telegram. The group emerged after Russia’s invasion of Ukraine and has launched hundreds of DDoS attacks — which flood targeted sites with junk traffic, making them unreachable — against the governments of several European countries.

In a separate statement on Monday, the Swiss government confirmed that various websites of the Federal Administration were knocked offline by the DDoS attack.

“The Federal Administration's specialists quickly noticed the attack and are taking measures to restore accessibility to the websites and applications as quickly as possible.”