Cyber Incident Victim: Swiss Federal Government

On or around May 23, 2023, the Swiss technology provider Xplain was breached by the Play ransomware gang. Xplain supplied various Swiss government departments, administrative units, and the country's military force with software solutions. The threat actors claimed to have stolen a variety of documents from the IT company. The stolen data was described as containing private and confidential information, as well as financial and taxation details. Following the breach, the Play ransomware group engaged in an extortion attempt against Xplain. When this attempt failed, the group proceeded to publish the entire data dump they had exfiltrated on June 1, 2023. The publication of this data occurred presumably because Xplain did not pay the demanded ransom.

The Swiss Federal Government disclosed its potential involvement in this incident on June 6, 2023. The government stated that the ransomware attack on its IT supplier might have impacted its data. Investigations into the contents and validity of the leaked data were still underway at the time of the disclosure. Initial findings were updated following more in-depth clarifications, leading the government to assume that operational data could also be affected. The government's press release indicated that clarifications were currently underway to determine the specific units and data concerned within the Federal Administration that were impacted by the breach at Xplain.

On June 12, 2023, the Swiss Federal Administration began experiencing access problems affecting various government websites and online services. The cause of this outage was identified as a distributed denial of service (DDoS) attack. The Swiss government quickly issued a press release warning of these ongoing DDoS attacks. The attack was attributed to the pro-Russian hacktivist group known as NoName. This group has been known to target NATO-aligned countries and entities in Europe, Ukraine, and North America since early 2022. The Federal Administration's specialists detected the attack promptly upon its initiation.

In response to the DDoS attack, the Federal Administration's technical teams took measures to restore accessibility to the impacted websites and applications as quickly as possible. The government's statement confirmed that several websites were inaccessible due to the attack but did not provide a specific list of affected domains or services. This incident was not the first time the group had targeted Swiss interests; according to the government press release, NoName had also attacked the Swiss parliament website the previous week. That prior attack coincided with parliamentary discussions concerning whether Switzerland had abandoned its neutrality to send aid to Ukraine.

The incident involving Xplain and the subsequent DDoS attacks represent a complex threat landscape affecting the Swiss government through both its supply chain and its publicly exposed online services. The ransomware attack on a third-party supplier led to a significant data leak with potential consequences for the confidentiality of government operational data. The separate DDoS attacks targeted the availability of government digital services, causing temporary outages. The Swiss government's response involved ongoing investigations to determine the full scope of the data breach from the Xplain incident and technical measures to mitigate the DDoS attacks and restore service availability.