Cyber Incident Victim: Västtrafik
Date:
Oct 2017
Location:
Sweden
Summary
DDoS attacks disrupted multiple Swedish transport agencies and a public transport operator on consecutive days, causing significant train delays and service interruptions. The first incident incapacitated IT systems managing train orders, forcing halts or delays, while also knocking out email, websites, and road traffic maps, with some effects persisting. The following day, another attack targeted additional transport entities, further impacting operations. Service providers were strategically attacked to maximize disruption, crippling reservation systems and necessitating alternative communication via social media. The coordinated incidents appeared to probe the resilience of the country's transportation infrastructure amid broader regional cybersecurity concerns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 11, 2017, a DDoS attack disrupted Sweden's Transport Administration (Trafikverket) during early morning hours. The attack targeted the agency's two service providers, TDC and DGC, specifically impacting systems responsible for managing train orders. This forced Trafikverket to halt or delay train operations nationwide. Concurrently, the agency's email system and public website became inaccessible, preventing travelers from making reservations or accessing delay updates. Trafikverket utilized its Facebook page as an alternative communication channel to disseminate service information during the outage. Road traffic mapping systems were also compromised, with residual disruptions reported on the agency's website as of October 13. Technical teams restored core services within several hours, though train schedule delays persisted throughout the day due to cascading operational impacts. The attack's precise targeting of critical infrastructure providers suggested deliberate coordination rather than random disruption.
A second DDoS attack occurred on October 12, 2017, affecting Sweden's Transport Agency (Transportstyrelsen) and public transit operator Västtrafik, which managed train, bus, ferry, and tram services in Western Sweden. While specific system impacts for Västtrafik weren't detailed, the simultaneous targeting of multiple transportation entities across consecutive days indicated a pattern of probing Sweden's critical transport infrastructure resilience. These incidents coincided with regional security reports of Russian cyber-weapon testing in the Baltic Sea area, though no direct attribution was confirmed. Historical context referenced a November 2015 cyber-attack on Swedish air traffic control—attributed to Russia by officials—that grounded flights for 24 hours. The 2017 attacks collectively demonstrated operational vulnerabilities in national transportation networks during sustained cyber assaults, with service restoration timelines highlighting dependencies on third-party providers.