An investigation by the SonntagsZeitung newspaper has found that the email addresses and passwords of some 15,000 employees of federal or state-related bodies have been hacked and traded on the darknet.
The newspaper worked with Zurich-based company Lucy Security to find that the accounts concerned belonged to employees of various state administration bodies, companies close to the state, universities, and other official organizations.
Accounts hacked included those of federal court employees, the newspaper said, and even high-ranking investigators at the Federal Office for Police (FEDPOL).
That hackers have access to such email accounts could allow them to infiltrate further into sensitive areas of the administration, especially if the accounts in question use the same password for several different sites or purposes.
The paper speculates that this may have been the case for RUAG, the state-affiliated defense contractor that was the target of a massive cyber-attack in 2016. A report into the attack by MELANI, the Swiss Reporting and Analysis Centre for Information Assurance, found that the assailants chose specific employees as conduits to access the wider IT systems.
Some 324 of the 15,000 accounts found by Lucy Security belonged to Ruag employees.
The main problem, according to the newspaper’s investigation, is the persistence of employees using professional email accounts to conduct private business, despite efforts by companies and state bodies to discourage this.
The paper also links the story to the current practice of using hacked account details to blackmail users through emails that threaten to make public images of them watching porn, for example, unless a certain amount of money is paid.
However, despite MELANI also confirming the existence of such cases of ‘sextorsion’, it remains unclear how widespread it is. Best practice remains to ignore or report such emails, the centre says.