You might assume government data is impenetrable, but a recent incident in Switzerland clearly demonstrates how even state systems can be compromised through "back doors" like external organizations.
On June 16, 2025, Radix, a Zurich-based non-profit health foundation, fell victim to a ransomware attack by the hacker group Sarcoma. This wasn't just damaging to Radix itself; it led to the theft and publication of sensitive data from several Swiss federal offices on the Dark Web, amounting to a staggering 1.3TB!
Sarcoma Group: Tactics and Attack Methodology
The Sarcoma group isn't new; they've been actively operating since October 2024, employing sophisticated tactics such as:
- Phishing: A classic, yet still effective, method for gaining initial access.
- Exploiting Old Vulnerabilities: Targeting systems that haven't been updated with critical security patches—a common oversight for many organizations.
- Supply-Chain Attacks: Specifically targeting third-party vendors or service providers as a gateway to reach their primary organizational targets.
Once they gain access to a network, they use Remote Desktop Protocol (RDP) to move laterally, steal data, and often encrypt it for ransom. If their demands aren't met, they don't hesitate to publish the stolen data publicly, as seen with the Radix incident.
The Leaked Data and Its Aftermath
After Radix refused to pay the ransom, the Sarcoma group published the stolen data on their Dark Web portal on June 29, 2025. The 1.3TB of leaked information includes official documents, scanned papers, financial records, contracts, and internal communications. All of this was made freely available for download, potentially leading to future phishing attempts or identity theft.
Radix and Swiss Authorities' Response
Although Radix had no direct access to federal government systems, its primary clients included several Swiss federal administrative bodies, meaning some government-related data was compromised. The Swiss National Cyber Security Centre (NCSC) is conducting a thorough investigation to identify which specific agencies and data types have been affected.
Following the attack, Radix took immediate action: notifying potentially affected individuals, shutting down system access, restoring from backups, and closely coordinating with the NCSC. They also warned the public about potential phishing attacks or attempts to steal personal information using the leaked data.
Notably, this isn't the first such incident for the Swiss government. In March 2024, a software provider called Xplain was hit by the Play ransomware group, resulting in the leak of over 65,000 government records.
The Vulnerability Lies in "Who You Trust"
These events serve as a critical warning: Even if your organization's internal systems are meticulously secured, an insufficiently protected third-party vendor or trusted connection can become a major gateway for data breaches. Ransomware doesn't just encrypt files; it "erodes trust," which is invaluable.
What organizations should consider doing immediately:
- Assess Supply Chain Risk: Thoroughly audit and evaluate the security standards of all third-party service providers.
- Develop Incident Response Plans: Create and regularly practice comprehensive plans for responding to data breaches.
- Manage Access Permissions: Implement strict access controls, granting permissions only when necessary, and monitor systems for unusual behavior.
- Enhance Employee Awareness: Provide consistent training to staff on recognizing social engineering tactics, fake emails, and attempts to solicit personal information.
In our increasingly interconnected world, cyber threats don't target organizations based on size or reputation; they target weaknesses. The vulnerability of one organization can trigger a cascading failure for many others. It's time for all entities—private companies, government agencies, and the general public—to collaborate in building robust defenses for data and privacy before these "silent threats" become a commonplace reality.