View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Swiss government data on the dark web after Play ransomware’s cyberattack on Xplain?

The breach at the ITSP has led to data belonging to Swiss government agencies potentially being exposed.

By Claudia Glover

Swiss government data may have been posted on the dark web after a ransomware attack on software provider Xplain. The company has accused the ransomware gang Play of being behind the breach, but says it has no plans to pay the demanded ransom.

The seat of Swiss government, the Federal Swiss Palace, whose data may have been leaked online by the Play ransomware gang. (Photo by Michael Derrer Fuchs/Shutterstock)

Headquartered in Bern in Switzerland, Xplain delivers IT services to the Swiss Army and various national and regional government departments.

Switzerland cyberattack: government data leaked after Xplain breach

Police in Switzerland launched an investigation into the cyberattack at the ITSP earlier this week. Xplain said it believed the initial attack took place on Saturday and was carried out by Play. But having initially denied any government data was released as part of the breach, authorities in Zurich have now confirmed information may be available on the dark web.

“Xplain, a Swiss provider of government software, has been the victim of a ransomware attack,” said a government statement released on Thursday. “After the stolen data had been encrypted and the company blackmailed, the attackers posted some of the stolen data on the darknet.

“Contrary to the initial findings and following recent in-depth clarifications, it appears that operational data of the federal administration could also be affected. In-depth analyses are still ongoing.”

Xplain is publicly refusing to have any contact with the ransomware gang and says it will not pay the ransom. It has notified Switzerland’s National Cybersecurity Centre.

Tech Monitor has approached the company for comment but has received no response at the time of publication. 

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

What we know about the Play ransomware gang

Play was first spotted carrying out its criminal activities last year. It is known for its big game hunting tactics, where it stalks one victim to mine for credentials and sensitive data which could allow it to access systems of other companies.

The group uses similar tactics to notorious ransomware gang Hive, leading researchers to believe that Play could be operated by the same criminals. 

Just this month the ransomware gang has compromised Spanish Bank GlobalCaja, where Play claimed to have stolen personal and private information. No ransom appears to have been paid yet. 

It also hit US cities Lowell and Dallas, leaking 5GB of data from the former onto the dark web and taking several local government systems offline.

Ransomware attacks in Switzerland

It is not Play’s first cyberattack in Switzerland. Earlier this year it hit newspaper group Neue Zürcher Zeitung (NZZ), demanding a ransom to prevent data from leaking onto the dark web.

In May, subscribers of the Blick and SonntagsBlick newspapers, published by NZZ, were notified that their data may have been compromised in the attack. 

The newspaper group CH Media also confirmed that company data was stolen during the cyber incident, as it purchases IT services from NZZ. 

Three regional titles Aargauer Zeitung, Luzerner Zeitung and St-Galler Tagblatt had to temporarily freeze various sections of their newspapers following the incident.

Play went on to publish around 500GB of stolen data from the NZZ group, including employee information. 

Read more: US puts $10m bounty on cybercriminal linked to LockBit and Hive

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.