Cyber Incident Victim: Kanton Aargau
Date:
May 2023
Location:
Switzerland
Summary
A cyberattack exploiting a vulnerability at the Swiss software provider Xplain compromised several government bodies and the national railway company SBB. The Kanton Aargau was among the victims, with stolen data including business correspondence and a small volume of operational data from error logs that had been sent to Xplain for analysis. The incident, attributed to the Play ransomware group, involved an attempted extortion of Xplain, leading to the partial publication of the stolen data on the darknet.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A cyberattack initially targeting the Swiss Confederation expanded significantly to include additional victims, notably the Swiss Federal Railways (SBB) and the Canton of Aargau, as reported on May 23, 2023. The incident involved data theft stemming from a security vulnerability exploited at Xplain, a Swiss provider of specialized software for government authorities. Xplain, based in Interlaken, supplies various applications to administrative bodies and companies. The attackers utilized this breach to access and exfiltrate data from Xplain's systems. The full scope of the attack became clearer over several weeks, revealing that federal agencies had been under threat for some time prior to the public disclosure.
The initial known victims of the data theft were federal offices, including the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security (BAZG). Data from various cantonal police forces was also compromised through the attack on the software provider. Following the data exfiltration, the cybercriminals, identified as the hacker group Play, attempted to extort Xplain. The company apparently did not acquiesce to the ransom demands. This failure to pay led to the subsequent public release of a portion of the stolen data on the darknet a few days before the reports were published.
The attack's impact widened as further victims were identified. The SBB confirmed it had been notified by Xplain that data had been exfiltrated as part of the same data leak incident. The national railway company acknowledged ongoing investigations into the matter but declined to specify the exact nature of the compromised data during the initial phase of the inquiry. This was not the first cybersecurity incident for the SBB, which had experienced a separate data theft involving customer information the previous year.
The Canton of Aargau was also confirmed as another victim of this widespread attack. Data from the canton's administration was stolen. According to the report, various Aargau departments had utilized services from the software firm in the past. These departments included the cantonal public prosecutor's office, the juvenile prosecutor's office, the Office for Migration and Integration, and correctional services. The Aargau Department of Economic Affairs provided an initial assessment of the stolen data to the media. Based on the knowledge available at the time, the canton stated that business correspondence was affected. Furthermore, a small volume of operational data from error logs was also compromised; this data had been stored with Xplain for analysis purposes. The exact scope and full extent of the impact on the canton's data were still being analyzed.
The threat actor behind this attack was reported to be the cybercriminal group known as Play. This group was active in the months preceding this incident and had claimed responsibility for other significant cyberattacks within Switzerland, including those targeting media companies NZZ and CH-Media. The group's modus operandi involved breaching computer systems, stealing data, and encrypting systems. They would then engage in extortion, threatening to publish the stolen data incrementally on the darknet if ransom payments were not made. The publication of the Xplain data followed this established pattern after the extortion attempt was unsuccessful.
The response to the incident involved multiple parties. The affected organizations, including the SBB and the Canton of Aargau, were notified by Xplain about the data leak. Internal investigations were launched immediately by the victims to determine the precise nature and sensitivity of the data that had been exfiltrated. The SBB cited these ongoing investigations as the reason for not publicly detailing the specific type of data lost initially. The Canton of Aargau similarly began a detailed analysis to ascertain the full scope of the data impact from its systems. The public disclosure of the attack and its widening scale was driven by media reports, which brought broader attention to the incident beyond the initial federal targets. The confirmation of the SBB and Canton Aargau's involvement provided a clearer picture of the attack's extensive reach through a common third-party supplier.