Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

In June 2023, Xplain, a Swiss IT services provider, fell victim to a cyberattack claimed by the Play ransomware group.
Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

Following the cyberattack on Swiss IT service provider, Xplain, details of the leaked data have been disclosed in a press release from the Swiss National Center for Cybersecurity (NCSC) – The Federal Office for Cybersecurity (BACS) has also taken part in the investigation.

The department analyzed the data leaked stolen by the Play ransomware group from Xplain, which is a “major provider of IT services to national and cantonal authorities,” the department confirmed.

Background

Back in May 2023, hackers exploited a vulnerability to target Xplain servers hosting applications for cantonal services, blocking access until a key or unblocking tool is sent in exchange for ransom. The attack, carried out by the Play ransomware group, had far-reaching consequences, impacting the Federal Office of Police, the Federal Office of Customs and Border Protection, Swiss Federal Railways and Aargau cantonal authorities.

In June 2023, Swiss federal government websites and the Swiss Federal Railways’ online portal were targeted in DDoS attacks, causing several websites to be unavailable. The finance ministry reported on 12 June 2023 that a pro-Russian group, “NoName,” claimed responsibility for the attack on its Telegram channel and that no data was lost in the attack. This group was also involved in the attack on the Swiss parliament website earlier in June 2023.

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

As per NCSC’s press release published earlier today, the BACS then took over the coordination of incident response within the federal administration and analysis of leaked data. A policy strategy crisis team was formed on 28 June and an administrative investigation was launched officially on 23 August to find out details of data leak at Xplain.

Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data
Official dark web leak site on the Play ransomware group (Screenshot: Hackread.com)

Report Details

The BACS emphasized that the report focuses on data types and analysis challenges, not the content of leaked data. Around 70% (around 47,413) of files belong to Xplain and 14% (9,040) to the Federal Administration.  Hackers have leaked 95% of the 9040 files belonging to the Swiss federal government, mainly from the Federal Department of Justice and Police, Federal Office of Justice, Federal Office of Police, State Secretariat for Migration, and ISC-FDJP. 

Around half of the Federal Administration’s files contain sensitive content like personal data, technical information, classified information, and passwords, with 4,779 files containing personal data, and 278 files containing technical information. 121 objects were dubbed classified under the Information Protection Ordinance with 4 of them containing readable passwords.

The department aims to collaborate with authorities and Xplain to address potential consequences. This investigation is expected to be completed in March 2024.

About Play Ransomware Group

The Play ransomware group is believed to be based in Russia and is responsible for around 300 successful attacks on businesses and critical infrastructure in North America, South America, and Europe from June 2022 to October 2023. The group uses a double extortion model, ranging from unauthorized access to external services like RDP and VPN.

  1. Ransomware Attack Disrupts Services in 18 Romanian Hospitals
  2. LockBit Ransomware Gang Returns, Taunts FBI, Vows Data Leaks
  3. LoanDepot Ransomware Attack Leads to Data Breach; 17M Impacted
  4. Schneider Electric Energy Giant Confirms Cactus Ransomware Attack
  5. TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware
Total
0
Shares
Related Posts