Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Play Threat Group. Show all posts

Data Leak Affects 425,000 Swiss Addresses


Cyber threat actors have apparently stolen what is the most comprehensive data set on Swiss citizen abroad.

The data set first appeared on the darknet in mid-May. It consisted of the subscribers’ information to the Swiss ReviewExternal link. The data set serves as a federal government magazine for Swiss citizen that keeps them updated on the recent developments of their home country.

Reportedly, the data consist of around 425,000 addresses, of which 40% were postal and the rest 60% were email addresses. Swiss Review is automatically sent to anyone who has registered in Switzerland as a citizen living abroad, either via email or by mail. Only 330,000 of the 800,000 Swiss Abroad, including Italian-speaking Swiss, do not receive the Swiss Review, according to the foreign ministry.

These addresses are handled by the Swiss foreign ministry in accordance with all data protection laws, as they are provided by Swiss consulates overseas and are not freely provided. Whereas individuals who are deregistered in Switzerland are required to declare their residential places abroad to the relevant Swiss representation. Thus, creating the subscriber base of Swiss Review.

While the Swiss government believes this consists of sensitive information that even the publisher of Swiss Review – SwissCommunity – may not have access to, the data set (or parts of it) can now be found in the darknet.

According to the foreign ministry, the Federal Department of Foreign Affairs seems to have “no knowledge of how much data has actually been stolen.”

Reportedly, a criminal complaint has been filed on the issue, and cyber experts are also involved in the investigation. Federal data protection and information commissioner, Adrian Losinger, says "The fact that data that was not collected voluntarily has been made public in this way is very regrettable."

Details of the Attack

It appears as the 425,000 Swiss Abroad addresses were in fact ‘by products’ of the blackmail attack on two Swiss publishing houses, namely the NZZ publishing group and CH Media.

The threat actors responsible for the attack call themselves “Play.” It is a group of active hackers with connections to Russia that operate on a global scale. On May 3, 2023, "Play" released a sizable amount of data that it had stolen from the Swiss publishing company CH Media on the darknet.

The publication was part of a blackmail poker game, which is a common approach for hackers to launch ransomware attacks. The threat actors first target the IT system of the company, followed by encrypting the victim’s data. They further threaten to publish the sensitive data, if their ransom demands are not fulfilled by the company.

Apparently, the targeted companies confirm to have refused to fulfill ransom demands. The attack on the digital ecosystem of NZZ and CH Media was launched at the end of March. The editorial office of Swiss Review experienced disturbances to its editorial system as a result of the attack, according to editorial director Marc Lettau. Through its IT infrastructure, Swiss Review is also connected to the area that is being attacked.

On May 3, 2023, “Play” took to publishing the stolen data, where its partner companies discovered that their customer data was also affected. This message also reached the Swiss Review.

By the middle of May, it was apparent the data contained subscription addresses to Swiss Review since the Swiss Foreign Ministry transmits this data to the Swiss Review printing company six times a year when the magazine goes to print.

However, the ministry confirmed that apart from the subscription addresses, no other personal information has been leaked.