Cyber Incident Victim: TT Nyhetsbyrån

On the morning of Tuesday, May 2, 2023, TT Nyhetsbyrån was subjected to a distributed denial-of-service (DDoS) attack. The incident was first communicated via an email sent out by the news agency. This attack specifically targeted the public-facing homepage of the agency's press release distribution service, known as "Via TT." The attack did not constitute an intrusion into TT's systems but was instead an overloading attack characterized by a massive volume of traffic being deliberately directed at the Via TT start page. The primary consequence of this traffic surge was that customers of the Via TT service experienced difficulties when attempting to log into the system to manage and distribute their press releases.

The onset of the attack actually occurred earlier than the public reporting on May 2nd. According to Fredrik Billinger, the product owner for Via TT, the attack began during the afternoon of the previous day, May 1st. The disruptive activity continued through the night and was still ongoing as of the morning of May 2nd, though it was noted that the intensity of the attack had diminished to a low level by that time. The impact on customers was intermittent; during parts of the day on May 1st and at a few isolated instances on the morning of May 2nd, some users encountered login problems due to the overwhelming traffic directed at the service's public gateway.

The system architecture at TT Nyhetsbyrån played a critical role in limiting the scope of the incident. The Via TT platform, which was the target of this attack, is entirely separate from the company's core editorial services. This separation ensured that the attack had no effect on TT's primary news and picture services, which continued to operate normally without any disruption. The isolation of the targeted system meant the attack was contained to the press release distribution function, preventing any collateral damage to the news agency's journalistic output.

In response to the login issues faced by customers, Via TT's customer support team provided continuous assistance. Throughout the incident, the support staff was available to help clients with necessary tasks, such as manually facilitating the distribution of press releases on their behalf. This ensured that, despite the technical difficulties with the web interface, the service's core function of disseminating press releases to media outlets could continue, albeit through a manual workaround managed by the support team.

This was not the first time the Via TT service had been targeted. Fredrik Billinger confirmed that the platform had been subjected to two previous overloading attacks several months prior to this event. The measures implemented following those earlier incidents proved partially effective during the May attack. The previously taken countermeasures mitigated the impact, preventing the latest attack from causing significant disruption. The attack's effect was described as not being particularly severe due to these pre-existing defensive preparations.

Following the attack, the ongoing response involved continued work to further strengthen the platform's resilience. The team responsible for Via TT focused on enhancing its capabilities to withstand large volumes of traffic. This work is part of a broader effort to improve system defenses against future DDoS attempts. Furthermore, the company maintained a dialogue with its customers regarding the incident and the specific measures being undertaken to address the vulnerability and ensure service reliability. The response was characterized by a focus on technical hardening and transparent communication with the user base affected by the service interruption.