Cyber Incident Victim: Rhätische Bahn
Date:
Jan 2024
Location:
Switzerland
Summary
A Russian hacktivist group NoName057(16) conducted distributed denial-of-service (DDoS) attacks against Swiss federal administration systems and multiple Swiss companies, including Rhätische Bahn, following Ukrainian President Zelenskyy's visit to the World Economic Forum in Davos. The attacks temporarily disrupted several government websites and the railway operator's online services by overwhelming servers with automated requests, though no data breaches occurred. The Swiss Federal Office for Cybersecurity had anticipated such actions, having warned critical infrastructure operators in advance, and restored functionality by afternoon. The group claimed the attacks were retaliation for Switzerland hosting Zelenskyy, aiming to generate media attention to propagate their ideology.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 17, 2024, the Russian hacktivist group NoName057(16) executed distributed denial-of-service (DDoS) attacks against Swiss federal administration systems and private entities, including Rhätische Bahn (RhB), following Ukrainian President Volodymyr Zelenskyy's visit to the World Economic Forum (WEF) in Davos, Graubünden. The Swiss Federal Office for Cybersecurity (Bacs) attributed the attacks to the group, which publicly justified its actions as retaliation for Switzerland hosting Zelenskyy. The attacks commenced before 8:00 AM local time, targeting federal department websites and critical infrastructure operators. RhB, a Graubünden-based public transport operator, confirmed it was among the randomly selected Swiss companies attacked that day. The DDoS technique overwhelmed victim servers with automated requests, causing temporary outages without data exfiltration. Multiple federal websites experienced intermittent unavailability, though the Federal Council’s portal remained operational. Bacs had anticipated such attacks due to Zelenskyy’s diplomatic engagements, including his in-person meetings with Swiss officials in Bern on January 15 and his WEF appearance on January 16, and had warned critical infrastructure operators the preceding week.
Bacs detected the attack rapidly, having pre-alerted RhB and other potential targets based on intelligence. Federal web services were partially restored by afternoon, with full functionality returning the same day. The House of Switzerland at WEF reported no operational disruptions despite the attacks. RhB’s spokesperson acknowledged the incident but did not specify downtime duration or operational impacts. This mirrored NoName057(16)’s June 2023 DDoS campaign against Swiss federal systems during Zelenskyy’s virtual address to parliament, reinforcing a pattern of retaliatory cyber operations tied to Swiss-Ukrainian diplomacy. Bacs characterized the group’s motive as seeking media attention to propagate pro-Russian ideology. The incident underscored coordination between Bacs, national and international partners, and critical infrastructure operators to monitor and mitigate threats, though no long-term technical or financial consequences were reported.