Cyber Incident Victim: Schweizerische Bundesbahnen

On or around May 23, 2023, it was reported that a cyberattack initially targeting the Swiss Confederation had expanded to include additional victims, notably Schweizerische Bundesbahnen (SBB) and the Aargau cantonal administration. The incident involved a data breach stemming from a vulnerability exploited at Xplain, a Swiss provider of software for government authorities based in Interlaken. This company supplied various applications to administrations and companies. The attackers utilized this security weakness to access and exfiltrate data.

The breach had been ongoing for several weeks prior to its public disclosure. The attackers successfully acquired data from several federal offices, including the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security (BAZG). Data from cantonal police forces was also compromised in the attack. Following the data theft, the cybercriminals attempted to extort the company Xplain. The extortion attempt was apparently not met with compliance, leading to the publication of a portion of the stolen data on the darknet a few days before the reports emerged.

The SBB confirmed it had been notified by Xplain that data had been exfiltrated as part of the broader data leak. The national railway company acknowledged its involvement in the ongoing incident but declined to specify the exact nature of the compromised data, citing ongoing investigations as the reason for withholding further details. This incident marked another cybersecurity event for the SBB, which had experienced a separate data theft the previous year involving a million customer records.

The canton of Aargau was also identified as a victim of the same attack. The Aargau cantonal administration reported that stolen data likely included business correspondence and a small volume of operational data from error logs that had been stored at Xplain for analysis. The administration's Volkswirtschaftsdepartement stated that the exact scope and volume of the affected data were still being analyzed. Historically, several Aargau departments had utilized services from the software company, including the cantonal public prosecutor's office, the juvenile prosecutor's office, the Office for Migration and Integration, and correctional services.

The attack was attributed to the hacker group known as "Play." This group was responsible for a series of cyberattacks in previous months, including incidents targeting media houses NZZ and CH-Media. The group's modus operandi involved infiltrating computer systems, stealing data, and encrypting it. They would then proceed to extort the victim companies, threatening to publish the stolen material incrementally on the darknet if ransom demands were not met. The publication of the Swiss data followed this established pattern after the extortion attempt against Xplain was unsuccessful.

The primary impact of the incident was the confirmed theft and subsequent public release of sensitive government and corporate data. The published data on the darknet represented a portion of the larger cache of information stolen from multiple entities through the exploitation of Xplain's systems. The response actions included the affected organizations being notified by Xplain of the data leak. Both the SBB and the canton of Aargau launched internal analyses to determine the full scope and precise nature of the data impacted. These investigations were ongoing at the time of reporting, limiting the amount of specific detail that could be publicly disclosed by the victims. The incident demonstrated the cascading risks associated with supply-chain vulnerabilities, where a breach at a single software provider compromised the data security of multiple client organizations.