ebuildersecurity.com/
March 13, 2026
/
By: Dalia Nasser
A threat actor calling itself ByteToBreach claims to have leaked the complete source code of Sweden’s e-government platform, after allegedly compromising CGI Sverige AB’s infrastructure. The leak includes the full source code for critical government services, API documentation, signing systems and embedded credentials that could enable further attacks across Sweden’s digital government ecosystem.
ByteToBreach published the leaked materials on 12 March across multiple open web forums and file-sharing platforms, according to Threat Landscape and Dark Web Informer. CGI Sverige AB is the Swedish subsidiary of CGI Group, a global IT services firm that manages critical digital infrastructure for the Swedish government. The actor has made the source code available for free while selling citizen databases and electronic signing documents separately.
The Leak Exposes Sweden’s Digital Government Architecture
About 96% of Sweden’s 10.7 million population used e-government services in 2025, according to Eurostat.
According to an analysis by International Cyber Digest, the leaked repositories appear to originate from an internal CGI GitLab instance. The exposed code includes core government platforms that millions of Swedes interact with daily: Mina Engagemang citizen services, the Signe electronic signature portal and the Företrädarregister authorization system that governs legal representation for organizations.
The leak also contains database passwords, SMTP credentials, keystore files and embedded Git credentials exactly the type of authentication material that enables lateral movement through connected systems. Swedish IT security expert Anders Nilsson told SVT that “source code for several programs appears to exist, and from what I can see, the hack looks genuine.”
That assessment matters because source code exposure creates what security researchers call a “detailed roadmap for future attacks.” Every API endpoint, authentication mechanism and integration point is now visible to anyone with access to the leaked material.
ByteToBreach Compromised Jenkins and Escaped to Docker
ByteToBreach documented their attack methodology in the leak release, detailing how they achieved full compromise of CGI Sverige’s infrastructure through a Jenkins CI/CD server. The attack chain involved exploiting Jenkins misconfigurations, escaping from the Docker container to the host via the Jenkins user’s Docker group membership, pivoting through SSH private keys and extracting credentials from Java heap dump files and executing OS commands through SQL copy-to-program pivots.
This is the same actor behind the Viking Line breach posted one day earlier, suggesting an active campaign against Swedish infrastructure via CGI’s managed services footprint. ByteToBreach explicitly rejected the usual “third-party breach” framing, stating in their release that “this compromise belongs clearly to CGI infrastructure.”
CGI stated in an updated statement on 17 March 2026 that the incident affected a limited number of internal test servers in Sweden that were not in production. The company said there is no indication that production environments, production data or operational services were impacted. Affected customers have been notified.
The actor’s choice to make the source code freely available while selling citizen data separately indicates their primary motivation may be causing maximum disruption to Sweden’s digital government rather than purely financial gain. That strategic choice makes the breach more dangerous source code in the wild enables other threat actors to develop their own exploits.
What Swedish Organisations Must Do Now
Any Swedish organisation that integrates with government e-services should audit those API connections immediately and rotate all credentials used in government-adjacent systems. The leaked source code contains enough architectural detail to enable targeted attacks against organisations that rely on these platforms for authentication or data exchange.
Electronic signing outputs should be treated with elevated scrutiny pending a full incident assessment by Swedish authorities. The Signe portal configurations and signing workflow templates are among the exposed materials, potentially compromising the integrity verification process for electronically signed documents.
Jenkins administrators across Sweden should assume their CI/CD pipelines are misconfigured until proven otherwise. The attack methodology ByteToBreach used Docker group escalation from Jenkins users, is a common misconfiguration that exists in many environments. Review user permissions and container access controls now.
rts.ch | RTS
Des drones suspects survolent des infrastructures critiques en Argovie, des espions russes et chinois sont interceptés sur sol suisse et les cyberattaques se multiplient, comme le montre une enquête de Temps Présent. La Confédération fait face à une "densité de menaces sans précédent", selon son Service de renseignement.
La police cantonale argovienne a intercepté des agents étrangers sur sol suisse. "Ces deux dernières années, il y a une douzaine d'incidents que nous avons attribués à des services étrangers", révèle le commandant Michael Leupold.
Sur ces douze cas, huit sont considérés comme des activités de renseignement. "Nous supposons que ce sont principalement des services russes, ou des services chinois", précise-t-il.
Ces agents s'intéressent aux infrastructures critiques du canton. Argovie concentre trois des quatre réacteurs nucléaires suisses, le plus grand dépôt de carburant du pays et l'étoile de Laufenburg, une plaque tournante du réseau électrique européen.
Le Service de renseignement de la Confédération (SRC) révèle aussi à la RTS que "la Russie pourrait […] saboter des infrastructures critiques en Suisse également très importantes sur le plan européen afin de nuire aux États membres de l'Union européenne et de l'Otan."
Des survols de drones inquiétants
En octobre 2025, plusieurs drones ont été observés au-dessus de sites stratégiques argoviens. Le député Daniele Mezzi (Centre) a déposé une interpellation parlementaire. "J'aimerais savoir si cette infrastructure critique est bien protégée, ou si nous avons des lacunes en matière de sécurité", interroge-t-il.
Les signalements de drones auprès de l'Office fédéral de l'aviation civile ont presque doublé en 2025 par rapport à 2024. On compte 104 survols dans l'espace aérien suisse.
Stefan Hunziker, spécialiste de drones et consultant pour l'armée, explique la difficulté de se protéger. "Il n'existe pas un système qui peut détecter tous les types de drones. Les drones vraiment hostiles, issus du marché militaire, sont très difficiles à détecter", précise-t-il.
Plus de 260 cyberattaques en neuf mois
Ces neuf derniers mois, plus de 260 attaques contre des infrastructures critiques ont été signalées à l'Office fédéral de la cybersécurité. Les pirates ciblent des administrations publiques, des médias, des transports et des hôpitaux.
Le groupe NoName 057(16), qui se revendique pro-russe, est particulièrement actif. En 2024, il a bloqué temporairement les serveurs de municipalités comme Vevey ou Sierre. Début 2025, l'aéroport de Zurich et Davos ont été visés pendant le Forum économique mondial.
A lire aussi : Mandat d'arrêt suisse lancé contre trois hackers prorusses et Les villes de Genève et Sierre également touchées par la cyberattaque russe
"Leur but, c'est de montrer aux citoyens que l'État n'est pas en mesure de se défendre", explique Christophe Gerber, directeur général d'Elca Security.
"Une densité de menaces sans précédent"
Le Service de renseignement de la Confédération confirme la gravité de la situation. "La Suisse connaît une densité de menaces sans précédent", indique-t-il.
"Nous sommes directement confrontés aux conséquences d'une guerre hybride. Les opérations sur territoire suisse sont multiples", ajoute le SRC.
Des moyens jugés insuffisants
Denis Froidevaux, ancien chef du Service de la sécurité civile vaudois, estime que la Suisse n'est pas suffisamment préparée. "Si demain un État se met en tête de paralyser les infrastructures de la Suisse, il y a fort à parier qu'il y arrive, en tout cas partiellement", affirme-t-il.
La conseillère nationale Isabelle Chappuis (Centre/VD) critique l'attitude du Conseil fédéral. "Le Conseil fédéral hésite à informer sa population de peur de l'effrayer. On la rend vulnérable en ne l'informant pas", déclare-t-elle. Contrairement à la Suède, la Finlande ou les Pays-Bas, qui ont lancé des campagnes pour préparer leur population, la Suisse en est encore à discuter de l'élaboration d'une telle campagne.
politico.eu – POLITICO
March 25, 2026 1:48 am CET
By Zoya Sheftalovich
“Our internal reviews have found no evidence that any devices, networks or systems have been compromised,” POLITICO says in email to staff.
BRUSSELS ― POLITICO launched a security review after a private telephone conversation between one of its reporters and an EU official about issues connected to Hungary and Ukraine was apparently intercepted and the recording published online.
The nine-minute audio clip, from a call that took place on March 3, was uploaded to YouTube on March 16. It has been listened to 5,100 times, according to YouTube data.
“Our internal reviews have found no evidence that any devices, networks or systems have been compromised,” Kate Day, POLITICO’s senior executive editor in Europe, and Carrie Budoff Brown, POLITICO’s executive editor and executive vice president, said in an email to employees on Wednesday.
“We will not be intimidated by an apparent attempt to interfere with independent reporting — nor deterred from the important work we do,” they wrote. “We have always been and will remain vigilant in protecting our sources, supporting the work of our journalists, and maintaining the accuracy of our independent, nonpartisan reporting.”
The issue comes at a time when leaks of confidential EU information are in the spotlight ahead of the Hungarian general election on April 12. In a report on Saturday, the Washington Post said that Viktor Orbán’s government maintained close contacts with Moscow throughout the war in Ukraine, and Hungarian Foreign Minister Péter Szijjártó used breaks during meetings with other member countries to update his Russian counterpart.
A spokesperson for the EU institution where the official works declined to comment on “tapes produced by unknown and anonymous actors.” POLITICO is not identifying the EU official because the call wasn’t on the record.
POLITICO has not been able to determine how the recording may have been obtained and who was responsible for posting it to YouTube.
‘Chilling message’
Several Slovak and Hungarian news websites wrote articles about the recording and published partial transcripts.
“Hacking and the disclosure of journalists’ materials strike at the heart of press freedom and the protections we must be able to rely on as reporters,” said President of the International Press Association in Brussels Dafydd ab Iago. “This is illegal under Belgian law, and it sends a chilling message not only to journalists in Brussels but also to our sources here … The harder question is how to pursue those state actors, whether operating from within the EU or from a third country like Russia.”
On Monday, the Orbán-aligned Hungarian newspaper Mandiner — one of the first outlets that wrote about the conversation — published a separate exchange between independent Hungarian journalist Szabolcs Panyi and a contact. The material was received via a “mysterious email” from an individual identifying himself as “the fourth branch of power,” according to the article’s author.
“We have important stories to tell and work to do and remain focused on maintaining the rigor, independence and purpose that our audience expects from us,” Day and Budoff Brown said in their email.
luxtimes.lu | Luxembourg Times
Alex Stevensson
25/03/2026
Lessons learnt and CTIE phones and tablets now secure again, says digitalisation minister
Thousands of devices owned by the Luxembourg public sector found to be infected with malware at the end of February have since been updated and secured, digitalisation minister Stéphanie Obertin has said.
Thousands of devices owned by the Luxembourg public sector found to be infected with malware at the end of February have since been updated and secured, digitalisation minister Stéphanie Obertin has said.
The security breach was confirmed on 27 February but details were scant at the time, with LSAP deputy Ben Polidori submitting a written parliamentary question on the same day, to which Obertin provided a reply on Tuesday.
The malware was first discovered on 26 February; the day before it was confirmed publicly, the minister said. It was detected on the system that manages mobile devices (smartphones and tablets) - which was found to have been infected a few hours before the provider updated its system at the end of January.
Analysis showed that the “memory resident” malware gained access to the list of phones and tablets managed by the State Centre for Information Technology (CTIE), containing both data relating to the devices and their users. Data such as messages, calendars and photos stored on devices was not affected by the incident, Obertin said.
Furthermore, devices managed by the educational IT service, CGIE, such as school pupils’ tablets, are not believed to have been affected at all.
All 4,850 devices managed by the CTIE were affected, however, as the agency isolated and reinstalled the affected system.
According to Obertin, the security measures in place allowed the CTIE to quickly isolate the affected system as soon as it was discovered to have been infected, but declined to offer precise details, for security reasons, noting that such incidents can never be entirely ruled out. New insights have been gained from the incident, as with all incidents, she added.
The National Commission for Data Protection, the CNPD, was notified of the malware on 27 February and has completed its investigation but not yet reported back with its findings.
“State services remained permanently accessible and fully operational - both via the PC with which all civil servants are equipped as standard, and via mobile phone through the ‘web interface’,” Obertin assured, saying essential services never went offline.
