Cyber Incident Victim: Agencia Estatal de Meteorología

On May 24, 2023, the Spanish State Meteorological Agency, Aemet, experienced a cyberattack that disrupted several of its online services. The attack was publicly disclosed on that Wednesday evening. According to the agency, one of the most significantly impacted services was the Sistema de Notificación de Observaciones Atmosféricas Singulares (SINOBAS). This public science project is designed to collect reports of rare meteorological phenomena from citizens and amateur weather watchers across Spain. In response to the detected cyber intrusion, Aemet made the decision to temporarily suspend the SINOBAS system as a preventive security measure. The primary goal of this action was to contain the threat and ensure the safety of the system's users and data. The agency did not publicly disclose the specific target or initial entry point of the cyberattack at the time of the incident.

The suspension of the SINOBAS service represented a notable loss of a valuable scientific data collection tool, particularly as it occurred during an active period of severe weather across parts of Spain. The system is commonly used by witnesses to report unusual and extreme weather events, including tornadoes, hurricanes, waterspouts, and blowouts. It also serves as a critical channel for reporting episodes of unusually heavy rain, hail, or sleet in unexpected geographical areas. For instance, during the very storm episode coinciding with the cyberattack, sleet showers had been recorded off the Costa del Sol and reported through SINOBAS. Without this platform, such phenomena might otherwise go unrecorded and unstudied by meteorological science, hindering research and the understanding of local weather patterns.

The cyberattack's impact extended beyond the SINOBAS platform, affecting other digital services operated by the state weather agency. Among these was the Aemet meteoglossary, an online meteorological glossary resource. Additionally, the incident disrupted the work of Aemet personnel stationed at the Antarctica weather station, impairing their ability to send or receive data and potentially affecting operational meteorological activities in the region. The full scope of the attack and the total number of compromised systems were not detailed in the immediate aftermath. Agency sources, however, expressed confidence that access to the affected services could be restored relatively quickly. This restoration was contingent upon a thorough investigation and the implementation of measures to guarantee the full safety and security of all users before bringing systems back online.

The response actions taken by Aemet were characterized by a precautionary approach. The primary confirmed response was the proactive takedown of the SINOBAS service following the detection of malicious activity. This containment strategy is a standard procedure to isolate affected systems, prevent the lateral movement of an attacker within a network, and protect sensitive data from exfiltration or corruption. By taking the system offline, the agency aimed to halt any ongoing malicious activity associated with that particular service. The public communication referred to the suspension as "temporarily suspended," indicating an expectation that the outage would not be permanent and that services would resume after necessary security steps were completed.

The public announcement served as the main form of external communication regarding the incident, providing a basic factual account of the outage and its cause without delving into technical specifics that could compromise the ongoing investigation or remediation efforts. The agency did not attribute the attack to any specific threat actor or group, nor did it specify the nature of the attack, such as whether it involved ransomware, a denial-of-service attack, or another form of compromise. The focus remained on the operational impact—the services that were knocked out—and the preventive measures being taken. The lack of detailed information concerning the attacker's methods or motivations suggests that the investigation was in its early stages or that the agency chose to withhold those details for security reasons.

The consequences of the incident were primarily operational and scientific. The immediate effect was the denial of service, making key online resources unavailable to the public, researchers, and Aemet's own staff. For the scientific community and citizen scientists, the loss of SINOBAS meant a temporary gap in the data collection of rare atmospheric events, which are often time-sensitive and cannot be reported after the fact. The disruption to the Antarctica station's operations highlighted that the attack had a geographical reach extending beyond the Spanish mainland, affecting critical meteorological work in a remote and scientifically important location. The incident underscored the dependency of modern meteorological services on digital infrastructure and their vulnerability to cyber threats that can hamper both public-facing services and core scientific functions.

The duration of the outage and the timeline for full restoration of services were not immediately provided, with the agency only stating that it hoped for a quick resolution pending safety guarantees. This suggests that the process involved forensic analysis to determine the root cause, cleansing of affected systems to remove any malicious code, and potentially the application of patches to vulnerabilities exploited by the attackers. The requirement to "guarantee the full safety of users" implies a thorough process to ensure that systems were secure before reconnecting them to the internet, thereby preventing a recurrence of the incident or further damage upon reactivation. The overall response indicates a methodical approach to incident handling prioritising long-term security over immediate availability.