Swiss government data may have been posted on the dark web after a ransomware attack on software provider Xplain. The company has accused the ransomware gang Play of being behind the breach, but says it has no plans to pay the demanded ransom.
Headquartered in Bern in Switzerland, Xplain delivers IT services to the Swiss Army and various national and regional government departments.
Switzerland cyberattack: government data leaked after Xplain breach
Police in Switzerland launched an investigation into the cyberattack at the ITSP earlier this week. Xplain said it believed the initial attack took place on Saturday and was carried out by Play. But having initially denied any government data was released as part of the breach, authorities in Zurich have now confirmed information may be available on the dark web.
“Xplain, a Swiss provider of government software, has been the victim of a ransomware attack,” said a government statement released on Thursday. “After the stolen data had been encrypted and the company blackmailed, the attackers posted some of the stolen data on the darknet.
“Contrary to the initial findings and following recent in-depth clarifications, it appears that operational data of the federal administration could also be affected. In-depth analyses are still ongoing.”
Xplain is publicly refusing to have any contact with the ransomware gang and says it will not pay the ransom. It has notified Switzerland’s National Cybersecurity Centre.
Tech Monitor has approached the company for comment but has received no response at the time of publication.
What we know about the Play ransomware gang
Play was first spotted carrying out its criminal activities last year. It is known for its big game hunting tactics, where it stalks one victim to mine for credentials and sensitive data which could allow it to access systems of other companies.
The group uses similar tactics to notorious ransomware gang Hive, leading researchers to believe that Play could be operated by the same criminals.
Just this month the ransomware gang has compromised Spanish Bank GlobalCaja, where Play claimed to have stolen personal and private information. No ransom appears to have been paid yet.
It also hit US cities Lowell and Dallas, leaking 5GB of data from the former onto the dark web and taking several local government systems offline.
Ransomware attacks in Switzerland
It is not Play’s first cyberattack in Switzerland. Earlier this year it hit newspaper group Neue Zürcher Zeitung (NZZ), demanding a ransom to prevent data from leaking onto the dark web.
In May, subscribers of the Blick and SonntagsBlick newspapers, published by NZZ, were notified that their data may have been compromised in the attack.
The newspaper group CH Media also confirmed that company data was stolen during the cyber incident, as it purchases IT services from NZZ.
Three regional titles Aargauer Zeitung, Luzerner Zeitung and St-Galler Tagblatt had to temporarily freeze various sections of their newspapers following the incident.
Play went on to publish around 500GB of stolen data from the NZZ group, including employee information.