Cyber Incident Victim: Fedpol Admin
Date:
Jun 2023
Location:
Switzerland
Summary
A cyberattack targeted a software provider used by Swiss federal police and customs agencies, leading to the theft and subsequent publication of stolen data on the darknet. The incident exploited a vulnerability on the provider's servers. While the agencies confirmed the breach, they downplayed its severity, stating the data pertained to anonymized test simulations and client correspondence rather than their own core operational systems. The Swiss army, also a client of the same provider, reported it was unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 4, 2023, a ransomware attack was launched against the servers of Xplain, a software provider based in German-speaking Switzerland. The company provided services to various Swiss government agencies, including the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security (BAZG). The attackers exploited a vulnerability on Xplain's servers to exfiltrate data. Following the attack, the hackers published the stolen data from these agencies on the darknet. The publication of the data was confirmed by Fedpol and BAZG on Saturday, May 23, 2023, following an initial report by the West Swiss newspaper "Le Temps." The incident was not isolated to federal agencies, as reports also indicated that cantonal police forces were affected by this data breach.
Xplain informed Fedpol about the ransomware attack. According to a Fedpol spokesperson, the authority was notified of the incident several days prior to the public confirmation on May 23rd. In its initial statements, Fedpol sought to downplay the impact of the breach on its own operations. The spokesperson clarified that Xplain did not have access to Fedpol's live, productive data. Instead, the company only held anonymized simulation data intended for testing purposes. Fedpol stated it did not know the full extent to which the stolen data, derived from correspondence with its clients, had been published online. The nature of the data was characterized as being from communications and interactions with Xplain, rather than direct access to sensitive operational databases.
Similarly, the Federal Office for Customs and Border Security confirmed it was a victim of the same cyber incident through its supplier, Xplain. A spokesperson for BAZG also limited the perceived scope of the attack, stating emphatically that the agency's own data was not compromised. The affected data was described as being exclusively from correspondence with customers, mirroring the description provided by Fedpol. This suggests the breach involved data related to client communications and service management rather than a direct penetration of the federal agencies' core, secured internal networks.
The Swiss Army, another client of the software provider Xplain, was investigated but found not to be impacted by this specific incident. A spokesperson for the Department of Defence (VBS) stated that based on their initial assessments, they could assume the event at Fedpol and BAZG had not led to a data leak within the army's own systems. This indicates that the breach's containment was specific to the data stored on Xplain's infrastructure for particular clients and did not represent a universal compromise of all entities associated with the vendor.
This event fits into a broader pattern of escalating cyberattacks targeting Swiss entities in recent years. Prior to this incident, a series of other organizations had fallen victim to similar attacks where stolen data was subsequently published on the darknet. These included the Education Department in Basel-Stadt, the municipal administration of Rolle in the canton of Vaud, the University of Neuchâtel, and the large dairy company Cremo in the canton of Fribourg. Major media houses CH Media and NZZ were also recently affected by comparable data theft and publication campaigns, highlighting a persistent threat environment for both public and private sector organizations in Switzerland.
The response from the involved federal agencies was characterized by immediate public confirmation coupled with efforts to minimize concern regarding the operational and national security implications. The primary action taken was to acknowledge the attack publicly once it had been reported in the media and confirmed by the vendor. The technical response and any containment measures undertaken by Xplain or the federal authorities were not detailed in the initial reports. The focus remained on assuring the public that core government systems and sensitive operational data remained secure and were not accessed by the threat actors. The incident underscored the risks associated with third-party software providers and vendors who host or process data on behalf of government bodies, turning their infrastructure into lucrative targets for cybercriminals. The downstream impact on cantonal police forces, while confirmed, was not elaborated upon with specific details regarding which cantons were affected or what type of police data was involved in the breach. The full scope and volume of the published data remained undetermined at the time of the initial confirmations.