Cyber Incident Victim: Swiss Federal Assembly

On May 23rd, 2023, the Swiss technology provider Xplain was breached by the Play ransomware gang. Xplain supplied various Swiss government departments, administrative units, and the country's military force with software solutions. The threat actors claimed to have stolen a significant amount of data from the company, including various documents that contained private and confidential information as well as financial and taxation details. This initial attack on a third-party supplier represented the first phase of a broader incident impacting the Swiss government. The Play ransomware gang, having failed to extort a ransom payment from Xplain, proceeded to publish the entire data dump they had exfiltrated on June 1st, 2023. This public release of potentially sensitive information marked a significant escalation, moving from a contained breach to a public data leak.

Following the data leak, the Swiss government issued a disclosure on or before June 6th, 2023, confirming its potential impact. The government stated that while investigations into the contents and validity of the leaked data were still ongoing, it had to be assumed that the attackers had posted data belonging to the Federal Administration. This assessment represented a shift from initial findings, indicating that following recent in-depth clarifications, operational data could also be affected. The government's press release noted that clarifications were currently underway to determine the specific units and data concerned, highlighting the ongoing forensic effort to understand the full scope of the compromise stemming from the third-party attack on Xplain.

Concurrently, a separate but publicly linked threat emerged against Swiss government online services. On the afternoon of Wednesday, June 7th, 2023, the official website of the Swiss Parliament, parlament.ch, became the target of a distributed denial-of-service (DDoS) attack. The attack caused significant accessibility issues, rendering the parliamentary website either completely unavailable or causing it to respond with severe delays. The Parliamentary Services acknowledged the incident publicly via Twitter. By after 5:00 PM local time on Wednesday, they reported that the disruption had been resolved and that the attacks on the website's infrastructure had been neutralized through appropriate measures. They also provided a crucial initial assessment, stating that internal systems and data were not affected by this DDoS activity, effectively containing the impact to service availability for the public-facing website.

However, the situation regarding the DDoS attacks proved to be more persistent than initially communicated. By the morning of Thursday, June 8th, officials, citing the Presidents of the Council of States and the National Council, reported that specialists were still working to fend off the ongoing attack. This indicated that the mitigation efforts were continuous and that the threat actors were persisting in their attempts to disrupt the parliament's online presence. The nature of a DDoS attack, which involves flooding a target with traffic from many distributed computers, often requires sustained defensive measures to filter malicious traffic and maintain service availability.

The DDoS campaign escalated on Monday, June 12th, 2023, when the pro-Russian hacktivist group known as NoName expanded its targets to include various Federal Administration websites and online services beyond the parliamentary site. This group has a history of targeting NATO-aligned countries and entities in Europe, Ukraine, and North America since early 2022. The attack on June 12th caused renewed access problems, making several official government websites and applications inaccessible. The Federal Administration's specialists quickly detected the attack and immediately began taking measures to restore accessibility as quickly as possible. The government's public warning confirmed the ongoing nature of the incident and attributed the motivation to geopolitical events, specifically noting that NoName had attacked the parliament website the previous week when its members were discussing whether Switzerland had abandoned its neutrality to send aid to Ukraine.

The incident thus comprised two distinct but overlapping components: a data breach and leak originating from a ransomware attack on a government supplier, and a series of DDoS attacks targeting government web assets directly. The Play ransomware gang's actions against Xplain compromised the confidentiality of government data, while the NoName group's activities aimed to disrupt the availability of critical public-facing services. The Swiss government's response involved multiple branches and levels of administration. For the ransomware incident, the response focused on forensic analysis and investigation to determine the exact extent of the data exposure, a process that was confirmed to be ongoing at the time of the public statements. The entities involved were working to identify which specific units and datasets were contained within the leaked information from Xplain.

The response to the DDoS attacks involved technical specialists from both the Parliamentary Services and the broader Federal Administration. Their actions included implementing appropriate measures to neutralize the inbound malicious traffic, a process that involved continuous monitoring and adaptation as the attacks persisted over multiple days. The primary goal of this response was to restore and maintain the accessibility of the targeted websites and web applications for the public. The government's communications strategy included public press releases and updates via social media to inform citizens of the outages and the efforts underway to resolve them. The technical response successfully prevented any breach of internal systems from the DDoS attacks, as confirmed by parliamentary officials, limiting the impact to service availability.

The impacts of these incidents were multifaceted. The ransomware attack on Xplain and the subsequent data leak created a potential compromise of sensitive government information, the full scope of which was still being determined. This raised concerns about the exposure of private, confidential, financial, and operational data belonging to the Federal Administration. The DDoS attacks had a direct and tangible impact on the public's ability to access government services online, causing intermittent outages and slow performance on key websites like parlament.ch and other Federal Administration portals. This disruption affected the delivery of digital public services and information dissemination. Furthermore, the incidents collectively highlighted the complex threat landscape facing governments that rely on third-party IT suppliers and maintain a significant online presence, demonstrating vulnerabilities in both the supply chain and the public internet infrastructure.

The chronology of events began with the initial ransomware breach of Xplain on May 23rd. The data exfiltrated in that attack was then published by the Play gang on June 1st. The Swiss government's disclosure regarding its likely impact from that leak occurred shortly thereafter, by June 6th. The first wave of DDoS attacks, specifically targeting the parliamentary website, commenced on the afternoon of June 7th. Mitigation was initially reported that evening, but the attacks continued into June 8th. A second, broader wave of DDoS attacks against multiple Federal Administration websites was launched by the NoName group on June 12th, prompting an official government warning and further technical countermeasures. The response to both the data leak and the DDoS attacks remained active and ongoing as of the latest reports.