Play Ransomware Attack on Xplain Impacts Swiss National Railway and Canton of Aargau

In a significant cybersecurity incident, the IT services provider Xplain experienced a Play ransomware attack that had a broader impact than initially estimated. The attack affected the national railway company of Switzerland (FSS) and the canton of Aargau, prompting a Swiss police investigation into Xplain.

Xplain, a Bernese IT company, serves various federal and cantonal government departments, the army, customs, and the Federal Office of Police (Fedpol). The attack on Xplain indirectly affected these major security entities as they all share the same IT service provider.

Threat actors initially published alleged stolen data from Fedpol and the Federal Office for Customs and Border Security (FOCBS) on a Darknet forum. Local media reports suggest that the attackers exploited a vulnerability on Xplain's servers, leading to the Xplain data breach.

Fedpol confirmed the attack but stated that threat actors only accessed simulated, anonymous data used for testing purposes, and the agency's projects were not exposed. FOCBS acknowledged that data exposed in the breach were from correspondence with its clients.

The FSS data leak was first reported by NZZ am Sonntag magazine and later confirmed by the Swiss railway company. The authorities of the canton of Aargau confirmed the data breach and mentioned that a small volume of operational data from error logs at Xplain for analysis might also have been affected.

The investigation is ongoing to determine the full extent of the Play ransomware attack. In a separate incident, the website of the Swiss parliament faced a cyber attack, but it is not linked to the XPlay ransomware attack. The Swiss parliament reported that the attack had been neutralized, with no impact on internal systems or data.

The Xplain data breach, resulting from a Play ransomware attack, had a significant impact on the national Swiss railway company (FSS) and the canton of Aargau. The breach affected multiple government departments and security entities that share the same IT service provider. Investigations are underway to assess the scope of the attack and the compromised data.