Summary
On March 12, 2026, the threat actor ByteToBreachpublished complete source code from CGI Sweden's e-government platform, exfiltrated from an internal GitLab instance. The leak contains 21 Git repositories with configuration, key material, and SAML signing infrastructure for Swedish government agencies' electronic identification via funktionstjänster.se.
CGI claims that the breach involves "two internal test servers" — our analysis reveals production configurations with real connection strings, key material, and database credentials.
What is Funktionstjänster?
CGI's Funktionstjänster is Sweden's leading e-government platform, processing over 25 million e-ID transactions per month. It is delivered as a managed service — CGI hosts and operates the entire infrastructure on behalf of Swedish government agencies, municipalities, and organizations for citizen-facing e-services.
The platform consists of several core components:
- e-ID — Electronic identification via BankID (Sweden's national e-ID system)
- eSign / Signe — Digital signing portal for government and enterprise use
- Företrädarregistret — Corporate representative registry (IAM for legal entities)
- Mina Engagemang — Citizen portal for managing government interactions
- SHS (Spridnings- och Hämtningssystem) — Secure data exchange protocol between government agencies
- eintegration3 — Apache Camel-based integration platform that implements the SHS protocol, routing data between agencies
- e-Formulär — Dynamic government forms engine
Attack Chain
According to the threat actor's own documentation:
- Jenkins compromise — Initial access via Jenkins CI server
- Docker escape — The Jenkins user was a member of the Docker group, enabling container breakout
- SSH key pivoting — Private SSH keys used for lateral movement
- Java heap dumps — Passwords extracted from process memory
- SQL COPY TO PROGRAM — Code execution via PostgreSQL
Scope
21 repositories
The leak encompasses 21 Git repositories including systems for JWT/SAML key management, corporate representative registry (IAM), digital signing, SHS integration, workflow engine, and citizen portals. Several repositories contain complete Docker Swarm configurations for production environments.
64 certificate/key files
A total of 64 files of type .jks, .p12, .pfx,.pem, and .key were found. We successfully opened 36 of these using passwords extracted from configuration files in the same leak.
Certificate validation (2026-03-13): Of the 36 opened files, at least 20 certificates are still valid (with expiry dates from 2027 to 2034). All have extractable private keys. An additional 3 files contain unencrypted private keys (RSA 2048/4096-bit) with no password protection whatsoever.
The certificates belong to multiple Swedish government agencies and organizations, issued by ExpiTrust EID CA among others. Several SHS client certificates (Spridnings- och Hämtningssystem) have recently expired but were valid at the time of the leak.
SHS — Secure Data Exchange Protocol
SHS (Spridnings- och Hämtningssystem) is a Swedish-developed protocol for secure information exchange between government agencies. It is used by central government agencies, municipalities, and organizations to send electronic documents, retrieve data, and subscribe to information feeds. SHS is effectively the backbone of Swedish e-government.
SHS uses mTLS (mutual TLS) for authentication — the client certificates identify the organization to SHS nodes. The leak contains SHS client certificates for multiple government agencies. Anyone possessing a valid client certificate can impersonate that organization and directly retrieve or submit data to other agencies that the organization has SHS agreements with.
Credentials
More than 30 unique passwords were found in plaintext in configuration files, Docker secrets, and YAML files. These include:
- Keystore passwords for SAML signing certificates (validated — keystores opened successfully)
- Database credentials for PostgreSQL and MSSQL (same password reused across at least 8 separate database environments)
- OAuth2 client secrets and API keys for Bolagsverket and Mina Ombud integrations
- SMTP credentials (Gmail accounts in plaintext)
- SVN credentials for CGI's internal version control server (AD account)
- JWT signing secrets (256 characters, in plaintext)
- CI/CD credentials — access to Artifactory (build artifacts) using the same password as the databases
Password reuse:The same password is systematically reused across databases (PostgreSQL + MSSQL), Artifactory, SMTP, and application logins — compromise of a single system grants access to virtually all of them.
Disabled Security Controls
Multiple critical security controls were explicitly disabled or missing in production configurations:
- JWT validation disabled — Incoming JWT tokens are not validated in the gateway service
- SAML assertions accepted unsigned — Sweden Connect SP metadata does not require signed assertions
- Unauthenticated SHS integration endpoints — eintegration3 (the SHS integration platform) exposes
/reload,/start,/stop, and/get-routeswithout authentication, allowing control over government data exchange message flows
CRITICAL — Golden SAML Risk
The combination of SAML signing certificates with extractable private keys (valid until 2029), keystore passwords in plaintext, JWT signing secrets, and disabled token validation enables forgery of identity assertions.
An attacker can create ("golden SAML") validated identity assertions for any Swedish citizen against all connected services. The configuration also contains a complete signed SAML assertion with a national identity number and BankID authentication.
Affected Organizations
The following organizations are confirmed via source code and configuration in the leak. The type of exposure varies from complete infrastructure configuration to client certificates and customer configuration.
| Organization | Type of exposure |
|---|---|
| MSB (Swedish Civil Contingencies Agency) | Complete infrastructure configuration, database, SAML, SHS |
| FMV (Swedish Defence Materiel Administration) | Signing keyring, customer configuration |
| Kammarkollegiet (Legal, Financial and Administrative Services Agency) | SAML signing certificate (valid until 2030) |
| Boverket (National Board of Housing, Building and Planning) | SHS client certificate |
| Karlstads kommun (Municipality of Karlstad) | SHS client certificate, citizen portal |
| IVO (Health and Social Care Inspectorate) | SAML assertion, Lex Maria reporting form |
| Energimarknadsinspektionen (Swedish Energy Markets Inspectorate) | Client certificate (valid until 2030) |
| Bolagsverket (Swedish Companies Registration Office) | OAuth2 integration, workflow engine |
| Folksam | Signe customer configuration |
| Akademiska Hus | Signe customer configuration |
An additional 7 organizations identified via organization numbers in Signe configurations.
Threat Actor: ByteToBreach
ByteToBreach is a threat actor active since June 2025, with documented breaches against airlines, banks, healthcare providers, and government agencies in over 10 countries. The actor uses a combination of infostealer logs, brute force, and exploits against known vulnerabilities for initial access.
The day before the CGI leak, ByteToBreach published a complete passenger database from Viking Line(via Apache Solr LFI + Tomcat credentials), suggesting a coordinated campaign against Swedish infrastructure via CGI's managed services.
Carl-Oskar Bohlin (Minister for Civil Defence) has confirmed the leak. CERT-SE and the National Cyber Security Centre are investigating the incident.
Certificate Transparency
149 unique certificates in CT logs since 2008. Key observations:
- Entrust → DigiCert emergency migration (2024) — 43 Entrust certificates had to be replaced due to distrust
- Wildcard certificate reissued 2026-03-13 via DigiCert — indicates active incident response
- IdP lacks DNS A record — the primary IdP is unreachable despite a valid certificate (until 2027)
- No DMARC record configured — phishing risk for an authentication domain
Risk Assessment
Valid SAML signing certificates + plaintext passwords + disabled validation = identity forgery against all connected government agencies
Shared passwords for PostgreSQL and MSSQL across 8+ environments — lack of segmentation
Signing keyring for a defence organization stored in Git instead of HSM
Exposed SHS client certificates (mTLS) — enables impersonation of government agencies and direct data retrieval
CI/CD credentials (Jenkins, Artifactory, Docker Registry) exposed — enables injection of malicious code into the build pipeline
National identity numbers in SAML assertions and JWT tokens. Citizen databases are reportedly being sold separately.
SVN credentials and OAuth secrets provide potential access to additional CGI systems
Configuration files reference an email-to-SMS gateway that accepts SMTP without authentication — potential vector for SMS spoofing and social engineering
Recommendations
Immediate (0–48 hours)
- Rotate ALL signing keys — SAML, JWT, TLS — and publish new metadata
- Change ALL exposed passwords — database, keystore, SMTP, SVN, OAuth
- Enable JWT validation and require signed SAML assertions
- Review access logs for all connected government agencies
Short term (1–2 weeks)
- Migrate all signing keys to HSM
- Implement unique password policy per environment (prod ≠ staging ≠ test)
- Configure DMARC for funktionstjänster.se
- Review all SPs: ensure signed assertion requirements
- Implement Certificate Transparency monitoring
Medium term (1–3 months)
- Secrets management — migrate all passwords to Vault or equivalent
- Network segmentation — separate prod/staging/test
- Notification to IMY (Swedish DPA) under GDPR (72-hour rule)
- Reporting under the Cybersecurity Act / NIS2
How Pentesting.se Helps
This incident highlights multiple attack surfaces that automated security scanning can identify before a leak occurs:
| Vulnerability | Detection method | Status |
|---|---|---|
| Exposed key files in web roots | Vulnerability scanning + directory enumeration | Existing |
| Exposed CI/CD systems (Jenkins, Docker) | CI/CD-specific vulnerability templates | Existing |
| Default database passwords | Credential testing + service scanning | Existing |
| Jenkins Script Console without authentication | HTTP probe (CVE-2025-53652) | Existing |
| Golden SAML — signing keys outside HSM | SAML metadata analysis + log correlation (Sygnia methodology) | Planned |
| SAML metadata with weak configurations | Custom template (WantAssertionsSigned, unsigned assertions) | Planned |
| CT logs: unexpected certificate issuances | Certificate Transparency API monitoring | Planned |
| Missing DMARC/SPF/DKIM | DNS analysis | Planned |
| Java heap dumps on web server | Directory enumeration with targeted wordlists | Planned |
| Apache Solr LFI (ByteToBreach TTP) | Application-specific vulnerability templates | Planned |
This report is based on passive analysis of publicly available data (CT logs, DNS, WHOIS) and review of the published source code archive. No active intrusion attempts have been performed. Specific passwords, filenames, and file paths have been intentionally omitted from this public report.
Contact: Pentesting.se / Adminor AB