Cyber Incident Victim: Xplain AG
Date:
May 2023
Location:
Switzerland
Summary
The Swiss software provider Xplain AG suffered a ransomware attack by the PLAY group, which claimed to have exfiltrated over 900 gigabytes of data. The company confirmed the incident and engaged external cybersecurity experts and authorities to investigate. While the full scope was still under investigation, the potentially compromised data included employee personal information, internal business documents, and project information, though the firm stated it did not store customer case or person data from client systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 1, 2023, the Swiss software company Xplain AG was compromised in a ransomware attack. The incident was publicly revealed when the Play ransomware group posted an entry pertaining to the company on their darknet leak site on May 22, 2023. The cybercriminals claimed to have successfully exfiltrated over 900 gigabytes of data from the company's systems and threatened to publish this information on the darknet. Xplain AG's managing director, Andreas Löwinger, confirmed the occurrence of the cyberattack and stated that the company's customers were formally informed of the breach on May 23, 2023.
Xplain AG is a specialized software provider for government and security authorities. The company's headquarters are located in Interlaken, Canton Bern, with additional offices in Aarau, Zürich, and Lausanne, as well as international branches in Germany and Spain. The firm's core business involves developing innovative software products that cover the entire workflow processes for authorities and organizations with security, migration, labor or economic, law enforcement, and correctional duties, ranging from initial intake to archiving. This client base immediately raised concerns about the potential sensitivity of any stolen data.
In its initial public statement, the company reported that it had noticed the attack immediately and reacted quickly to minimize the impacts and restore the security and availability of its production systems. The company emphasized that it was working closely with external cybersecurity experts and the relevant authorities to conduct a thorough investigation into the incident. The response actions focused on containment and restoration of operational services.
The Play ransomware group responsible for the attack is identified as one of the most active cybercrime entities at the time, specializing in data theft and extortion. The group is distinct from Ransomware-as-a-Service (RaaS) providers, meaning its operators conduct their targeted attacks themselves rather than leasing out their tools to other affiliates. This modus operandi suggests a higher degree of coordination and intent behind the intrusion into Xplain's networks.
Regarding the scope of the data breach, company officials were cautious in their initial assessments. The exact details of the attack, including the full extent and severity of the data theft, were stated to be under active investigation. The company sought to clarify the nature of the potentially affected data, emphasizing that it does not store person and case data from customer systems within its own infrastructure. According to Xplain AG, the data potentially compromised in the attack could include personal information of its employees, internal business documents belonging to the firm, and various project information. This distinction was crucial for informing their customers, primarily government agencies, that their operational data was not held by Xplain and thus was not part of the theft.
The incident placed Xplain AG within a pattern of attacks against Swiss entities by the Play ransomware group. Other known victims of the group in Switzerland included the media companies NZZ and CH Media, the guardianship authority of the Saxon municipality in the canton of Valais, the firm Energie Pool Schweiz, and the H-Hotels hotel chain. The attack on Xplain underscored the continued targeting of Swiss organizations by sophisticated cybercriminal actors.
The broader context of such ransomware attacks, as noted in reporting on the incident, suggests a high number of unreported cases. International investigations by IT security researchers indicated that a significant number of ransomware attacks are never reported or made public. It is estimated that up to two-thirds of affected organizations ultimately acquiesce to extortion demands and pay ransoms secretly to avoid public exposure and recover their data, though it was not disclosed whether Xplain AG received or paid any ransom demand.
The primary impact of the incident was the disruption to Xplain AG's business operations and the potential exposure of its internal corporate data. The theft of 900 gigabytes of data, as claimed by the attackers, represented a significant breach of the company's confidential information. The compromise of employee personal information raised concerns for the privacy and security of its staff, while the exfiltration of business documents and project information could have implications for the company's intellectual property and commercial competitiveness. The need to engage external cybersecurity consultants and coordinate with law enforcement authorities represented a significant operational and financial cost to the organization in its response and recovery efforts. The full consequences of the data breach would depend on the final determination of what specific data was taken and whether the attackers followed through on their threat to publish it.