Cyber Incident Victim: Landespolizei

The Landespolizei of Liechtenstein was impacted by a cyber attack targeting the Swiss IT service provider Xplain. The incident, which occurred in May 2023, was identified as a ransomware attack. The attackers exploited a vulnerability on the servers of Xplain that hosted data, leading to a significant data breach. Stolen data was subsequently published on the darknet. The Liechtenstein police force had been collaborating with Xplain for a period of twenty years, utilizing the firm for specialized applications, software development, and support services.

Upon being informed of the incident by Xplain, the Landespolizei immediately notified the government of Liechtenstein. The police force also promptly initiated necessary measures to protect its own systems in response to the breach. An official communication from the Landespolizei, issued on a Tuesday, provided details on the scope of the data exposure. The statement clarified that core case data and personal data were not stored with the Bern-based software company. Instead, the primary information involved was related to projects.

Despite the assertion that sensitive operational data was not centrally stored with the provider, the police acknowledged that some operational information could have been compromised in isolated instances. This potentially affected data was believed to be contained within error logs or similar diagnostic records. The characterization from authorities was that case data was, at worst, affected only in individual cases rather than as part of a comprehensive data set.

The attack on Xplain had a broad impact across Switzerland, affecting multiple Swiss federal and cantonal authorities. Other victims included the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security. Several cantonal police forces within Switzerland were also confirmed to have been affected by the same breach. The incident demonstrates the widespread consequences of a supply chain attack on a single provider serving numerous government entities.

The response from the Liechtenstein Landespolizei focused on containment and securing its infrastructure following the notification. The specific technical measures taken to protect their systems were not detailed publicly, but the actions were described as necessary and directly related to the incident. The collaboration with a long-term external provider introduced a vulnerability that was exploited by threat actors, leading to the unauthorized access and exfiltration of data.

The publication of stolen data on the darknet represents a significant escalation beyond the initial ransomware attack, moving into the realm of data extortion and public exposure. The nature of the project information taken from the Landespolizei's dealings with Xplain was not elaborated upon with specific examples. The incident underscores the operational risks associated with outsourcing IT development and support, even for law enforcement agencies with long-standing partnerships.

No specific details regarding the ransomware variant used, the exact date of the initial breach, or the identity of the threat actors were provided in the available information. The focus of the report was on the impact and the response measures undertaken by the Liechtenstein authorities. The event highlights the challenges faced by government agencies in securing their digital ecosystems when reliant on third-party vendors for critical software services.