Xplain data breach also impacted the national Swiss railway FSS

The
Play
ransomware
attack
suffered
by
the
IT
services
provider
Xplain
also
impacted
the
national
railway
company
of
Switzerland
(FSS)
and
the
canton
of
Aargau.

The
Play

ransomware
attack
suffered
by
the
IT
services
provider
Xplain
is
worse
than
initially
estimated,
the
incident
also
impacted
the
national
railway
company
of
Switzerland
(FSS)
and
the
canton
of
Aargau.

In
early
June,
Swiss
police
launched
an
investigation
into
the
cyber
attack
that
hit
the
Bernese IT
company
Xplain,
which
provides
its
services
to
several
federal
and
cantonal
government
departments,
the
army,
customs,
and
the
Federal
Office
of
Police
(Fedpol).

The
news
of
the
attack
was
first
reported
by
the
Swiss
newspaper
Le
Temps.

“for
the
first
time,
several
cantonal
police
forces,
the
Swiss
army
or
the
Federal
Office
of
Police
(Fedpol)
are
indirectly
affected
by
a
cyberattack.” reads
Le
Temps. “These
major
players
in
security
have
one
thing
in
common:
they
have
the
same
IT
service
provider,
the
Bernese
company
Xplain,
which
has
just
been
hacked.”

Threat
actors
initially
published
alleged
stolen
data
from
the
Federal
Office
of
Police
(Fedpol)
and
the
Federal
Office
for
Customs
and
Border
Security
(FOCBS)
on
a
Darknet
forum.

Local
media reported that
attackers
have
exploited
a
vulnerability
on
the
servers
of
the
company.

Both
Fedpol
and
the
federal
customs
office
confirmed
the
attack
but
attempted
to
downplay
the
incident.
According
to
Fedpol,
threat
actors
only
had
access
to
simulated,
anonymous
data
for
test
purposes.

Xplain
notified
Fedpol
about
the
attack
a
few
days
ago,
revealed
a
Fedpol
spokesman
who
added
that
the
projects
of
the
agency
were
not
exposed.

The
Federal
Office
for
Customs
and
Border
Security
(FOCBS)
said
data
from
the
FOCBS
that
were
exposed
are
from
correspondence
with
its
clients.

The
news
of
the
FSS
data
leak
was
initially
reported
by
the
magazine
NZZ
am
Sonntag
and
later
confirmed
by
the
Swiss
railway
company.

The
authorities
of
the
canton
of
Aargau
also
confirmed
the
data
breach.

“The
Aargau
authorities
said
for
their
part
that
they
assume
that
“in
addition
to
company
correspondence,
a
small
volume
of
operational
data
from
error
logs
which
was
at
Xplain
for
analysis
was
also
affected”.”


reported
the
website
RSI.

The
authorities
are
still
investigating
the
security
breach
to
determine
the
extent
of
the
attack.

This
week,
the
website
of
the
Swiss
parliament
has
been
the
target
of
cyber
attack
as
reported
by
the
president
of
the
House
of
Representatives,
Martin
Candinas.

“The
problems
appeared
on
Wednesday
afternoon.
At
the
end
of
the
day,
parliament’s
services
said
the
attack
had
been
neutralised
and
that
no
internal
systems
or
data
had
been
affected.
On
Thursday
morning,
however,
there
were
still
problems
accessing the
websiteExternal
link.”


reported
the
website
SwissInfo.

The
attack
is
not
linked
to
the
XPlay
ransomware
attack.

Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking,
xPlay)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts