The National Cybersecurity Centre (NCSC) of Switzerland recently published a report detailing their analysis of a data breach that occurred as a result of a Play ransomware attack on a company called Xplain. This breach had a significant impact on numerous sensitive Federal government files.
The Xplain Play Ransomware Incident
Xplain is a Swiss technology and software solutions provider that serves various government departments, administrative units, and even the country’s military. Unfortunately, on May 23, 2023, Xplain fell victim to a successful breach by the Play ransomware gang.
During the breach, the threat actors claimed to have obtained and stolen documents containing highly confidential information. Disturbingly, in early June 2023, the threat actors made good on their threats and publicly released the stolen data on a darknet portal.
Upon discovering the breach, the Swiss government promptly launched an investigation into the compromised files. They acknowledged the possibility that the leaked data may include documents belonging to the Federal Administration of Switzerland.
Details of Leaked Files by The Play Ransomware
In a recent statement released today, the Swiss government has officially confirmed that a significant number of government documents, totaling 65,000, were leaked as a result of the breach. Here are the key details provided:
- Out of the approximately 1.3 million files that were published by the Play ransomware group, around 5% (65,000 documents) are directly relevant to the Federal Administration.
- The majority of these leaked files, accounting for 95%, have an impact on the administrative units of the Federal Department of Justice and Police (FDJP). This includes the Federal Office of Justice, the Federal Office of Police, the State Secretariat for Migration, and the internal IT service center ISC-FDJP.
- The Federal Department of Defence, Civil Protection and Sport (DDPS) has been minimally affected, with just over 3% of the leaked data attributed to them.
- Approximately 5,000 of the leaked documents contain sensitive information, such as personal data (names, email addresses, telephone numbers, and addresses), technical details, classified information, and account passwords.
- A smaller subset of a few hundred files includes IT system documentation, software or architectural data, and passwords.
These details provide a clearer understanding of the extent and nature of the leaked data resulting from the breach.
According to the announcement, the administrative investigation, which commenced on August 23, 2023, is expected to conclude by the end of this month. The comprehensive findings of the investigation, along with cybersecurity recommendations, will be shared with the Federal Council.
The prolonged duration of the investigation can be attributed to several factors. Firstly, the analysis of unstructured data and the sheer volume of leaked information has presented a complex challenge, necessitating significant time and resources to sort through documents relevant to the Federal Administration.
Furthermore, the legal complexities associated with analyzing the leaked data for evidence have contributed to the extended timeline. Given the confidential nature of the information, inter-agency coordination and participation are required, which inevitably adds further time to the process.