Incident Overview

A threat actor going by ByteToBreach has leaked the entire source code of Sweden's E-Government platform, claiming it was obtained through a heavily compromised CGI Sverige AB infrastructure. CGI Sverige is the Swedish subsidiary of global IT services giant CGI Group and manages critical government digital services. This is the same actor behind the Viking Line breach posted yesterday.

The actor emphasizes this is the full E-Gov platform source code and not just configuration snippets. They state that the Swedish e-government is the most affected party, and note that citizen PII databases and electronic signing documents were also collected but are being sold separately. A staff database, API document signing system, RCE test endpoints, initial foothold details, jailbreak artifacts, and Jenkins SSH pivot credentials are all included in the listing alongside the source code.

The disclosed vulnerabilities used in the attack include a full Jenkins compromise, Docker escape via the Jenkins user being in the Docker group, SSH private key pivots, analysis of local .hprof files for reconnaissance, and SQL copy-to-program pivots. The actor makes a pointed note about companies blaming breaches on third parties, explicitly stating that this compromise belongs clearly to CGI infrastructure, referencing Viking Line and Slavia Pojistovna as other examples. The source code is being released for free with multiple backup download links, while citizen databases are sold separately.