Cyber Incident Victim: Sweden Transport Agency

On October 11, 2017, a distributed denial-of-service (DDoS) attack disrupted the Sweden Transport Administration (Trafikverket) during early morning hours. The attack targeted TDC and DGC, two service providers critical to Trafikverket’s operations, causing the failure of the IT system responsible for managing train orders. This forced the agency to halt or delay train services nationwide. Concurrently, Trafikverket’s email system and public website became inaccessible, preventing travelers from booking tickets or receiving real-time updates on disruptions. The agency resorted to Facebook to disseminate service restoration efforts and delay information to the public. Road traffic mapping systems also experienced outages, with partial functionality still impaired two days later. Trafikverket restored core services within hours, but residual delays persisted throughout the day due to cascading scheduling disruptions.

A second DDoS attack occurred on October 12, 2017, targeting the Sweden Transport Agency (Transportstyrelsen) and Västtrafik, a regional public transport operator managing trains, buses, ferries, and trams in western Sweden. The attack methodology mirrored the prior incident, overwhelming online systems and causing service interruptions. These sequential incidents suggested a coordinated effort to test response capabilities across Sweden’s transportation infrastructure. The attacks coincided with heightened regional tensions, following reports of Russian cyber activity in the Baltic Sea area the preceding week. Swedish authorities had previously attributed a November 2015 cyberattack on air traffic control systems to Russian actors, though no formal attribution was disclosed for the 2017 transport incidents. Operational impacts were confined to service delays and IT system downtime, with no reported physical safety incidents or long-term infrastructure damage.