Cyber Incident Victim: Bundesamt für Zoll und Grenzsicherheit

On or around April 6, 2023, a cyber incident impacted the Swiss Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security (BAZG). The attack was not directly against the government agencies' own secured systems but instead targeted the servers of their common software provider, a German-Swiss company identified as Xplain. The attackers exploited a vulnerability on these servers to gain unauthorized access to data. The nature of the vulnerability was not publicly disclosed in the provided information. The breach was characterized as a ransomware attack, though the primary impact reported was the theft and subsequent publication of data rather than the encryption of systems for a ransom payment.

The incident was detected when Xplain itself informed its client, Fedpol, about the ransomware attack it had suffered. A Fedpol spokesperson confirmed the agency was notified by the software provider several days prior to a public confirmation on May 23, 2023. This indicates the initial discovery and reporting of the breach occurred in the days immediately preceding that date. The BAZG also confirmed it had been affected by the same cyberattack, receiving similar notification from their provider.

The scope of the data compromise was carefully delineated by both federal offices. Fedpol officials stated that Xplain did not have access to its productive, operational data. Instead, the company held only anonymized simulation data intended for testing purposes. Consequently, Fedpol asserted that its core projects and operational systems were not affected by the breach. The primary concern for Fedpol was the potential exposure of data stemming from correspondence between Fedpol and Xplain. The exact content and sensitivity of this stolen correspondence were not fully known to Fedpol at the time of their statement, as they indicated they did not know the extent to which it would be published.

Similarly, the BAZG issued a statement downplaying the direct impact on its own systems. A spokesperson for the customs office explicitly stated, "The data of the Federal Office itself is not affected." Mirroring the situation at Fedpol, the compromised data was described as being exclusively from correspondence between the BAZG and Xplain. This suggests the stolen information consisted of communications, potentially containing project details, support tickets, or other administrative exchanges, rather than raw operational data from customs or border security systems.

The attack had a broader reach beyond the two federal offices. It was reported that several cantonal police forces were also affected due to their relationship with the same software provider, Xplain. The specific cantons were not named. Another major entity that utilized Xplain's services, the Swiss Army, conducted an investigation and determined it was not impacted. A spokesperson for the Department of Defence (VBS) stated that based on their initial assessments, the incident at Fedpol and BAZG did not lead to a data leak within army systems. This suggests that the type of data held by Xplain for the army, or the nature of its relationship with the provider, differed from that of the affected police and customs agencies.

The primary consequential action taken by the attackers was the public release of the stolen data. The datasets taken from the Xplain servers were published on the darknet. The publication date was not specified but occurred prior to May 23, 2023, when it was reported by the Westschweizer Zeitung "Le Temps" and subsequently confirmed by the government agencies. The act of publishing stolen data on the darknet is a common tactic used by ransomware groups to pressure victims into paying a ransom, especially when the encryption of systems alone is insufficient leverage.

The response from the affected organizations was primarily communicative and investigative. Both Fedpol and the BAZG publicly confirmed the facts of the data theft and its publication once it was reported in the media. Their immediate response focused on assessing the scope and containing the fallout by clarifying that their core, operational data remained secure. The onus for the technical response, including patching the exploited vulnerability and securing its servers, fell upon the vendor, Xplain. No specific actions taken by Xplain, such as engaging incident response firms or law enforcement, were detailed in the provided source. The incident was part of a noted trend of increasing cyberattacks against Swiss entities, including the education department in Basel-Stadt, the municipal administration of Rolle, the University of Neuchâtel, the large dairy company Cremo, and major media houses CH Media and NZZ, all of which had also suffered data theft and publication.