Switzerland under cyberattack

Swiss government websites are under DDoS attacks, but several ransomware gangs have also turned their sights on Swiss government organizations, cantonal governments, cities and companies in the last few months.

Government sites under DDoS attacks

“Several Federal Administration websites are/were inaccessible on Monday 12 June 2023, due to a DDoS attack on its systems,” the Swiss National Cyber Security Centre (NCSC) said on Monday. “The Swiss government’s portal www.admin.ch remains accessible.”

But the attackers did not stop there.

First last week, and then again this week, the Swiss Parliament’s website (parlament.ch) was hit with a DDoS attack. Despite initial reports suggesting that the issue had been resolved and that no internal systems or data were compromised, the website can’t be reached at this time.

According to the NCSC, the group behind these DDoS attacks is Noname057(16), a pro-Russian hacker group.

The group has also claimed the recent DDoS attack on the site and app of the Swiss Federal Railways (which, according to Swiss news outlet Tages-Anzeiger, resulted in a temporary disruption of certain online services) and the ongoing attack on the site of the Grenchen and Geneva airports (airport-grenchen.ch and gva.ch are currently inaccessible).

According to Reuters, NoName attacked the parliament’s website last week because Switzerland adopted a new EU sanctions package against Russia. This week’s attack coincides with preparations for an upcoming video address by Ukrainian President Volodymyr Zelenskiy.

Swiss publication Watson reported on Wednesday that NoName also downed the Geneva tourism website (the intended-but-missed target was apparently Canton of Geneva’s website), and possibly that of the Basel-Stadt canton’s administration.

Ransomware groups on the loose

Though ransomware groups (seemingly indiscriminately) hit organizations of all types around the world, lately they have been successfully targeting a slew of Swiss companies and government organizations.

Last month, BlackBasta compromised Swiss company TAG Aviation and encrypted parts of the IT infrastructure. Watson has reported that threat actors have published screenshots of passports and other sensitive data on the dark web.

Though the company is still trying to determine what data was stolen, someone – possibly BlackBasta, but who knows? – is trying to sell over 1.5 TB of company and customer data purportedly stolen from TAG Aviation on the Unsafe leak site/dark web marketplace.

Darkrace, a relative newcomer in the ransomware game, hit Vaud Promotion, a non-profit organization in Pully, Switzerland, that’s in charge of the promotion of the Vaud canton. The association revealed that some data has been stolen, and told Swiss news outlet Inside IT that the attackers claim to have stolen 161 gigabytes of files and have published screenshots of financial documents, employee ID cards and data on the dark web.

But the Play ransomware gang has been the most prolific at breaching Swiss targets. They hit IT company Xplain – which provides software to federal, cantonal and police departments – and computer support and services company Unico Data, consequently also affecting their customers.

In late May, Xplain told Watson that they have been hit by the Play ransomware gang. Despite the company’s claims that they do not store data from customer systems, a more recent update by the Swiss NCSC says that “it appears that operational data of the Federal Administration could also be affected by the ransomware attack on the IT company Xplain, which resulted in some of the stolen data being published on the darknet.”

“Xplain’s clients also include various administrative units of the Federal Administration. Clarifications are currently under way to determine the specific units and data concerned. Contrary to the initial findings and following recent in-depth clarifications, it has to be assumed that operational data could also be affected. Based on the information currently available, the Federal Administration does not believe that the Xplain systems have direct access to the Confederation’s systems,” the NCSC added.

According to Swiss news outlet Le Temps, some of the Xplain data leaked by Play includes contracts, technical specifications, identifiers to access certain services, etc., from IT projects the company carried out with the Federal Office of Police (Fedpol) and several cantonal police forces.

“Documents concerning customs, [aerospace engineering company] Ruag group, [Swiss Air Rescue] Rega, as well than the army, are present among the files posted online,” the publication found.

Fedpol told Le Temps that its projects are not affected, and that the company does not have access to Fedpol live data (just anonymized simulation data for testing purposes). The Federal Office of Customs and Border Security says that correspondence between it and Xplain has been affected.

The Unico Data intrusion was first noticed by the company on May 27, and they quickly took IT systems offline. According to Netzwoche, some 100 customers were affected by the outage, among them the municipality of Rüegsau, cinema chain Pathé, the industrial group Insys, the tool manufacturer PB Swiss Tools, the electrical engineering company Boess, and the Rugenbräu brewery. The attackers also stole customer data and has begun leaking some of it on the dark web.

The Play gang previously stole data from Swiss media companies CH Media and NZZ and leaked it in early May.

UPDATE (June 15, 2023, 13:20 a.m. ET):

TAG Aviation has confirmed that they have been the victim of an IT security incident (ransomware attack), but that it was limited to Asia. TAG Aviation Europe’s IT environment was not impacted.

“On May 21st, our Intrusion Detection System (IDS) detected an unauthorized access attempt to our network. TAG took immediate action and engaged a cyber security specialist service who are forensically reviewing the event and any data impacted. To date, we cannot know the nature of the data that was targeted and have found no evidence of any data being misused,” the company stated.

“We have prioritised containment, eradication, and restoration of all support. Additional security measures have also been implemented to secure the network against future attacks. The investigation is currently ongoing and TAG Aviation is working with advisors and law enforcement to minimize the ransomware attack’s impact and of course keeping clients informed and working with them to enhance their protection as the investigation progresses.”