Cyber Incident Victim: Schweizerische Bundesbahnen

On the morning of June 12, 2023, a distributed denial-of-service (DDoS) attack targeted the systems of the Swiss federal administration. This cyber incident rendered numerous federal administration websites temporarily unreachable. The same attack also impacted Schweizerische Bundesbahnen (SBB), the Swiss Federal Railways. The attack was claimed by the hacker group known as "NoName," which had also publicly taken responsibility for a previous attack on the Swiss Parliament's website, Parlament.ch, just the week before. The Swiss Federal Office of Justice (Bundesanwaltschaft) confirmed that the attacks occurring on June 12 would be incorporated into an existing criminal investigation that had been opened following the prior incident against the parliamentary services' homepage.

Specialists within the federal administration detected the attack rapidly. Upon identification, they immediately implemented measures intended to restore the availability of the affected websites and applications as quickly as possible. The Eidgenössisches Finanzdepartement (EFD), the Federal Department of Finance, issued a public communication on Monday confirming these details and the nature of the response. The core objective of a DDoS attack is to overwhelm websites and applications with a flood of targeted requests, causing them to become unavailable and unable to function for legitimate users. This type of attack is designed to disrupt services and does not involve the exfiltration or theft of data.

For SBB, the impact was felt across its various online services. The company reported that numerous online services were non-functional between approximately 08:00 and 09:45 on the morning of the attack. Despite this widespread disruption, not all customer-facing digital systems were affected. The timetable lookup feature within the SBB Mobile application remained operational throughout the incident. Furthermore, ticket sales were still possible via the SBB online shop when using a guest account. The physical ticket vending machines located in stations and the counters at travel centers also continued to function normally, allowing passengers to purchase tickets without interruption.

By midday on June 12, SBB announced that the technical problem caused by the DDoS attack had been resolved. The company confirmed that all of its online services were once again available and operating normally. The incident was therefore contained and remediated within a window of less than two hours for the primary outage period experienced by SBB customers. The federal administration likewise succeeded in restoring access to its targeted web properties.

This event was part of a noted increase in cyber attacks targeting Swiss enterprises, government bodies, and media organizations in recent years. The incident marked the second time the SBB had been affected by a cyber attack within a short period, having already been impacted by a separate incident in February 2023. Other recent prominent targets included major media houses CH Media and NZZ. Furthermore, a significant unrelated ransomware attack against the IT service provider Xplain had become public on May 23, 2023, which had severe consequences for numerous Swiss authorities. That attack on Xplain, which involved data theft and subsequent publication on the dark web, affected agencies including the Federal Office of Police (Fedpol), the Federal Office for Customs and Border Security (BAZG), and several cantonal police forces. The June 12 attack on the federal administration and SBB was distinct from the Xplain incident, as it was a DDoS attack focused on disruption rather than a ransomware attack focused on data theft and extortion. The recurrence of attacks attributed to the NoName group within a short timeframe indicated a continued focus on Swiss public infrastructure by this particular threat actor. The ongoing criminal investigation by the Swiss Federal Office of Justice seeks to identify the individuals behind these attacks.