Though a ransomware attack on Xplain, a Swiss software developer contracted by the country’s federal government, became known almost as it happened in late May 2023, a new report from the country’s National Cyber Security Centre (NCSC) has shed additional, disconcerting light on the extent of the incident.
Per that report (via BleepingComputer), the NCSC believe that 1.3 million files were released by the threat actor, a ransomware group known as Play, in a package on the dark web.
65,000 of these files are considered ‘relevant’ to the Swiss government, with the vast majority (47,413) of these belonging directly to Xplain.
Xplain ransomware attack
The NCSC also wrote about the challenges involved in determining file ownership, and the specific nature of each compromised file. It did, however, reveal that the data included employee data and passwords vulnerable to identity theft, technical specifications, and unspecified ‘classified information’, and had determined how many files belonged to each of these categories.
Xplain, which describes itself as a ‘homeland security’ company, updated its own evolving statement on the attack in the wake of the report on February 8. It claims that, following the attack, it filed a criminal complaint, and ‘rebuilt [its] entire IT infrastructure’ in line with the NCSC’s recommendations.
Despite this, Xplain maintains that it’s still unclear as to how the attack was made possible, noting that ransomware groups often use undisclosed vulnerabilities to gain unauthorized access to computer systems.
Most importantly of all, the company reports that it has not been significantly harmed financially by the event, which it attributed to its ‘diversified, long-term business model’ (which we think is business-speak for ‘fingers in many pies) and ‘the benefits from indemnity insurance’.
All’s well that seems to end well, then, but as there’s plenty that we don’t know about how the breach was committed, this may not be the last that we hear about the incident.