The Swiss government has disclosed that numerous federal departments were the victims of a ransomware attack stemming from a third-party partner, resulting in the exfiltration of sensitive personal information. The government states that malicious actors breached Radix systems, stole data, and leaked it on the dark web.
“The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,” the Swiss government disclosed.
Zurich-based Radix oversees health promotion programs and online counseling services on behalf of the Swiss government.
“Radix’s customers include various federal offices. The data has been published on the dark web and will now be analyzed by the relevant offices,” the national government confirmed.
Anonymous online counseling platforms SafeZone and StopSmoking were likely impacted, suggesting that the Radix cyber attack might be significant.
Meanwhile, the country’s National Cyber Security Centre (NCSC) is analyzing the stolen data to determine which government agencies were compromised and the nature of the stolen information.
Third-party ransomware attack impacts numerous Swiss government agencies
Health education non-profit organization Radix confirmed that affiliates of the Sarcoma ransomware gang breached its information systems around June 16.
The threat actor claims to have stolen over 1.3 terabytes of compressed information, suggesting that the data breach was significant.
On June 29, the ransomware group published the stolen information on its data leak site, suggesting that ransom negotiations had been unsuccessful. Sarcoma had given Radix one week to pay the ransom in exchange for the decryption key and not leaking the stolen information.
Details leaked include scanned documents, the company’s financial records, contracts, and communications. Interested parties can access the stolen information without payment, suggesting that the threat actor was overly malicious. Nonetheless, the Swiss government claims the ransomware attack did not leak sensitive information.
“There is currently no indication that particularly sensitive data has been affected by the cyberattack,” the Swiss Federal Office of Public Health stated.
“Swiss officials have announced that cyber-attackers have stolen information from several federal offices and leaked it to the dark web,” said Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka. “The data was exposed during a ransomware attack on third-party organization Radix. The Radix released a statement claiming recently emerged ransomware gang Sarcoma was the culprit behind the attack.”
Meanwhile, Radix says it has notified the victims of the ransomware attack data breach, and no evidence suggests that the threat actors have misused the stolen information.
Similarly, the ransomware attack did not compromise the Swiss government’s internal systems because it was limited to the third-party contractor’s systems.
Radix also advised data breach victims to remain vigilant for any suspicious activity related to the ransomware attack and report any suspicious activity. The company also advised impacted individuals to avoid sharing sensitive information, such as passwords, credit card details, and account information, via online communication to avoid becoming victims of phishing and social engineering attacks.
However, the attack vector exploited during the Radix ransomware attack remains unreported or undisclosed.
Cybercrime gang utilizes double-extortion methods
First detected in October 2024, the cybercrime gang leverages social engineering and phishing to compromise organizations. It employs double extortion by encrypting internal systems and threatening to leak the stolen information to force victim organizations to pay the ransom.
“Sarcoma utilizes double-extortion methods, encrypting victims’ data and threatening to release it on the dark web if ransom demands are not met,” added Sood. “Sarcoma previously breached Taiwanese PCB giant Unimicron earlier this year.”
Nonetheless, the Swiss government is no stranger to third-party cyber attacks impacting citizens’ data. In March 2024, it suffered a third-party ransomware attack targeting Xplain, a software services provider. That ransomware attack leaked over 65,000 documents containing sensitive personal information.
