Zurich, July 2, 2025 — Radix, a Zurich-based nonprofit organization specializing in public health promotion and online counseling services, confirmed on June 30 that it fell victim to a ransomware attack carried out by the Sarcoma group. According to Radix’s statement, Sarcoma exfiltrated sensitive client and operational data before encrypting core systems and publicly posting stolen files on a dedicated dark-web leak site.

Incident Overview
Radix first detected unusual network activity in mid-June, prompting an immediate internal investigation and engagement of external cybersecurity consultants. While the organization’s primary operational platforms remained largely functional, threat actors succeeded in compromising backup archives and several administrative servers. In its June 30 statement, Radix emphasized that no direct connections to Swiss federal systems exist within its infrastructure—though they acknowledged that various federal offices utilize Radix’s services, and a government “data compromise assessment” is currently underway.

Sarcoma Ransomware: A Growing Threat
Sarcoma is a relatively new ransomware operation first identified by threat intelligence firms in October 2024. Analysts have linked Sarcoma attacks to a pattern of targeted intrusions against mid-size enterprises and nonprofit entities across Europe and North America. Their Tactics, Techniques, and Procedures (TTPs) frequently involve:

• Phishing-based initial access using convincingly branded email lures;
• Use of custom beaconing malware to establish persistent command-and-control channels;
• File-sharing abuse via legitimate cloud storage services to exfiltrate large data volumes;
• Double-extortion tactics whereby stolen data is published online to pressure victims into paying ransoms.

Security specialists warn that Sarcoma’s rapid evolution—from its first detection to high-profile breaches—underscores the increasing sophistication of “as-a-service” ransomware models, which lower the cost and expertise barriers for financially motivated cybercriminals.

Scope and Potential Impact
While Radix maintains it does not host or administer any government IT infrastructure, the involvement of federal offices as service recipients raises the stakes. Data under review may include:

• Personal health records of program participants;
• Internal communications regarding public-health initiatives;
• Counselling session metadata that could be deemed personally identifiable information (PII).

Swiss federal authorities are coordinating with Radix to determine whether any government-owned data repositories were indirectly exposed. Early indications suggest that the breach was confined to Radix’s own systems, rather than the downstream environments of its clients.

Organizational Response and Remediation
In the hours following breach confirmation, Radix took decisive steps to contain the incident:

1. 1- Disconnection of affected servers from all external networks;
2. 2- Deployment of an incident response team comprising both in-house security staff and a third- party digital forensics firm;
3. 3- Notification to Swiss data-protection regulators and impacted individuals in compliance with the Federal Act on Data Protection (FADP);
4. 4- Engagement with law-enforcement partners, including the Federal Cybercrime Unit (CYCO) of the Swiss Federal Office of Police (fedpol).

Radix’s executive leadership has pledged a full system rebuild on “air-gapped” infrastructure, alongside strengthened multifactor authentication (MFA) and network-segmentation controls.

Expert Commentary
“Nonprofits like Radix often lack the robust cybersecurity budgets of larger healthcare providers,” explained Dr. Lena Schmid, a cybersecurity consultant with Zurich-based firm CyberSentinel. “This attack highlights how adversaries are pivoting toward organizations perceived as softer targets but possessing valuable data.” Dr. Schmid recommends that charitable and nonprofit institutions adopt a “zero-trust” architecture, enforce least-privilege access, and periodically simulate phishing exercises to harden staff against social-engineering exploits.

Outlook and Recommendations
As Sarcoma’s leak site remains active, organizations across the Swiss health sector are urged to:

• Conduct urgent risk assessments of third-party service providers;
• Review and update incident-response playbooks to address ransomware and data-exfiltration scenarios;
• Invest in continuous endpoint monitoring and automated backup integrity checks.

Radix has established an incident-support hotline for affected clients and plans to publish a post-mortem report once its forensic analysis concludes. In the meantime, the breach serves as a stark reminder that even mission-driven, nonprofit entities are within the sights of modern ransomware syndicates.

Morocco’s National Social Security Fund (CNSS) has fallen victim to a significant cyberattack, exposing sensitive personal and corporate data, with some reports estimating the breach may impact nearly 2 million individuals and 500,000 companies. The attack, which occurred on Tuesday, April 8, also targeted the Ministry of Employment, though their incident appears to be less severe.

While CNSS initially described the breach as “partial,” independent reports from Le Canard Libéré and La Quotidienne.ma suggest the scale could be far greater, with leaked data including contact information, salary declarations, and identities of managers and employees from major Moroccan institutions such as the Royal Holding Company Siger, Crédit Agricole Bank, and even the Israeli Liaison Office in Rabat.

⚠️ What Was Leaked?

The compromised information reportedly includes:

• Names and contact details
• Salary records and declarations
• Organizational roles
• Data from high-profile entities

However, CNSS officials have urged the public to treat leaked information with caution, stating that some content circulating on social media is either false, incomplete, or taken out of context.

🧑‍💻 Who’s Behind the Attack?

Only one source, Le Canard Libéré, has pointed to a possible perpetrator: an Algerian hacker group called “Jebaroot”, allegedly retaliating for a prior breach of the Algerian Press Service’s (APSX) Twitter account. This claim remains unverified by other media outlets and Moroccan authorities, highlighting the difficulty in attributing cyberattacks with certainty.

🔐 CNSS Response & Public Warning

In response to the attack, CNSS:

• Activated emergency cybersecurity protocols
• Partnered with national security authorities
• Temporarily restricted access to certain online services
• Issued urgent public warnings

The CNSS has advised all insured individuals to:

• Change their passwords regularly
• Avoid sharing personal data via unsolicited calls, texts, or emails
• Verify communications only via their official website: www.cnss.ma

They also warned that spreading fake or leaked data may lead to legal consequences, as authorities are investigating and may pursue criminal charges.

🧾 Legal and Institutional Ramifications

The National Data Protection Authority (CNDP) has opened its doors to victims seeking to file complaints. Meanwhile, CNSS has launched an internal probe and referred the case to the judiciary, underlining the seriousness of the incident.

Le Canard Libéré raised concerns over the CNSS’s digital infrastructure, calling it “expensive but underperforming”, and questioned whether sufficient safeguards were in place to protect national data assets.

📉 Wider Implications

This breach could have ripple effects across Morocco:

• Professional secrecy compromised
• Salary leaks may disrupt competition or prompt social unrest
• Public trust in digital institutions at risk

The incident is being called by some analysts “Morocco’s first cyber war,” underlining how digital threats are becoming matters of national security.

🛡️ Final Takeaway

This attack is a stark reminder that cybersecurity is no longer just an IT issue—it’s a national, economic, and societal priority. With sensitive data now at risk, the public is urged to remain vigilant and institutions must reassess their digital defense strategies.

“What’s needed is not just better firewalls,” said one analyst, “but a fundamental shift in how we protect, manage, and respond to cyber threats in a connected world.”

Washington, D.C. — The U.S. Treasury Department has revealed that its systems were breached in a sophisticated cyberattack attributed to a state-sponsored hacking group backed by China. The breach is part of a larger campaign targeting multiple U.S. government agencies and critical infrastructure, raising serious concerns about national security and cybersecurity resilience.

Details of the Breach

The cyberattack, which officials say began months ago, exploited a vulnerability in widely used software systems. Hackers gained unauthorized access to sensitive departmental networks, although the Treasury Department assured that no classified or financial data was compromised.

“Treasury systems were breached as part of a broader campaign targeting U.S. government entities,” said Deputy Secretary Wally Adeyemo. “While the incident has been contained, it underscores the increasing sophistication of nation-state cyber threats.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified the breach as part of a global campaign exploiting zero-day vulnerabilities. The China-backed actor, referred to as “Volt Typhoon,” has been linked to previous cyber operations targeting U.S. interests.

Scope and Impact

The Treasury Department’s breach is one of several incidents affecting federal agencies. While the department emphasized that critical operations remained unaffected, cybersecurity experts warn that such breaches could have long-term implications for national security and international relations.

“This type of access could allow for data manipulation, surveillance, or preparation for future cyberattacks,” said Laura Hutchins, a cybersecurity analyst at SecureWorks. “It’s a significant wake-up call for the U.S. to bolster its defenses.”

China’s Involvement

The U.S. government has attributed the attack to a China-backed hacking group, alleging that the breach is part of Beijing’s broader efforts to gather intelligence and undermine U.S. infrastructure. China’s Foreign Ministry denied the accusations, calling them “groundless” and emphasizing that China opposes cyberattacks in all forms.

Government Response

Following the breach, the Treasury Department and other affected agencies have implemented enhanced security measures and are conducting a comprehensive review of their systems. CISA, the FBI, and the National Security Agency (NSA) are collaborating on the investigation and response.

“We are treating this as a national security priority,” said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. “This incident underscores the urgent need for public and private sectors to work together in addressing vulnerabilities and enhancing cyber resilience.”

Legislative and Policy Implications

The attack has reignited calls for stronger cybersecurity legislation and investment. Lawmakers are urging the Biden administration to expedite efforts to modernize federal IT systems and increase funding for cyber defense initiatives.

“This breach demonstrates the critical need for a national cyber strategy that addresses both prevention and response,” said Senator Mark Warner, Chairman of the Senate Intelligence Committee. “We must ensure our government systems are resilient against these kinds of sophisticated attacks.”

Implications for U.S.-China Relations

The attribution of the attack to China is likely to escalate tensions between Washington and Beijing. The breach comes amid ongoing disputes over trade, technology, and Taiwan, further straining an already complex bilateral relationship.

“This cyber incident could become a flashpoint in U.S.-China relations,” said Dr. Alan Parker, an expert in international cybersecurity policy. “It’s a clear example of how cyber operations are becoming a significant dimension of geopolitical competition.”

Next Steps

The Treasury Department and other federal agencies are working to enhance security protocols and close vulnerabilities exploited in the breach. CISA has issued an advisory to private sector organizations to assess their exposure to similar threats.

Conclusion

The breach of the U.S. Treasury Department’s systems by a China-backed actor highlights the evolving nature of cyber threats against critical government infrastructure. As investigations continue, the incident underscores the urgent need for robust cybersecurity measures and international cooperation to combat state-sponsored cyberattacks.