Overview
A threat actor operating under the handle ByteToBreach has published what they claim to be the complete source code of Sweden's E-Government platform, alleging it was extracted through a deep and sustained compromise of CGI Sverige AB — the Swedish subsidiary of global IT giant CGI Group. The source code is being distributed freely across the open web, with multiple backup mirrors already confirmed active.
This is not an isolated incident. ByteToBreach is the same actor responsible for the Viking Line breach posted just one day prior, suggesting an ongoing campaign targeting Swedish and European infrastructure via CGI's managed services footprint.
What Was Leaked
The actor has been explicit that this is not a configuration dump or partial extract — they claim full source code of the E-Gov platform, alongside a significant volume of supporting material:
| Data Category | Distribution |
|---|---|
| Full E-Gov Platform Source Code | Free (open web) |
| Staff Database | Free (open web) |
| API Document Signing Systems | Free (open web) |
| Jenkins SSH Pivot Credentials | Free (open web) |
| RCE Test Endpoints | Free (open web) |
| Initial Foothold & Jailbreak Artifacts | Free (open web) |
| Citizen PII Databases | For Sale (separately) |
| Electronic Signing Documents | For Sale (separately) |
We have not verified the authenticity of the data
Why This Matters
The implications of this breach extend well beyond a single organization:
- E-government source code exposure creates a detailed roadmap for future attacks. Any attacker — nation-state or criminal — can now study the platform's architecture, identify undisclosed vulnerabilities, and exploit them before patches are developed.
- Electronic signing systems are foundational to Sweden's digital government identity framework. Compromise of these systems, even indirectly, raises serious questions about the integrity of digitally signed government documents.
- Citizen PII being sold separately means the secondary harm — identity fraud, phishing campaigns, targeted social engineering — is still incoming and unquantifiable.
- CGI Group's broader portfolio should be considered at risk. An actor that has demonstrably compromised one major CGI client in 48 hours is likely to have broader access across the managed services environment.
Recommended Actions
For organizations that interact with CGI Sweden or use adjacent E-Gov infrastructure:
- Audit all API integrations with Sweden's E-Gov platform immediately
- Rotate credentials and tokens used in any government-adjacent systems
- Review CI/CD pipeline security — Jenkins misconfigurations of this type are endemic; assume yours is misconfigured until proven otherwise
- Monitor for IOC releases as the security community begins analyzing the leaked source code
- Treat electronic signing outputs with elevated scrutiny pending a full incident assessment
Threat Actor Profile: ByteToBreach
ByteToBreach is emerging as a high-capability actor with a clear focus on European managed service providers. In under 48 hours, they have published breaches affecting a major ferry operator and Sweden's national e-government infrastructure — both linked to CGI.
Update 13th of March
CGI Sweden confirms the incident. Also claiming that the source code is "older".