Cyber Incident Victim: Sweden Transport Administration (Trafikverket)
Date:
Oct 2017
Location:
Sweden
Summary
A DDoS attack disrupted Sweden's Transport Administration, causing significant train delays and service interruptions by targeting critical IT systems managing train operations, email, and public-facing websites. The incident forced the agency to halt or delay services and rely on social media for traveler updates, with residual impacts on road traffic maps persisting beyond initial restoration efforts. A similar attack occurred the following day against another government transport agency and a regional public transport operator, suggesting coordinated targeting of Sweden's transportation infrastructure. These disruptions followed reports of heightened cyber activity in the region, though no direct attribution was confirmed in this incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 11, 2017, a distributed denial-of-service (DDoS) attack disrupted IT systems operated by Sweden's Transport Administration (Trafikverket) during early morning hours. The attack targeted the agency's two service providers, TDC and DGC, specifically impacting systems responsible for managing train orders. This forced Trafikverket to halt or delay train services nationwide during the attack window. Concurrently, the agency's email system and public website became inaccessible, preventing travelers from making reservations or accessing delay updates. Trafikverket utilized its Facebook page as an alternative communication channel to disseminate service information. Road traffic mapping systems were also compromised, with functionality remaining impaired for multiple days according to agency statements. Technical teams restored core services within several hours, though residual delays persisted throughout the day's rail operations due to cascading scheduling disruptions.
A second DDoS attack occurred on October 12, 2017, affecting Sweden's Transport Agency (Transportstyrelsen) and regional public transport operator Västtrafik, which manages train, bus, ferry, and tram services in western Sweden. This follow-up incident reinforced concerns that the attacks constituted coordinated probing of Sweden's transportation infrastructure resilience. The timing coincided with reports of Russian cyber-weapon testing in the Baltic Sea region the preceding week. Historical context included Sweden's prior attribution of a November 2015 air traffic control cyberattack to Russian actors, which had grounded flights for 24 hours. Trafikverket characterized the initial attack as strategically focused on service providers to maximize operational disruption, though no explicit attribution was provided for the 2017 incidents. The dual attacks demonstrated tangible impacts on national mobility infrastructure while testing organizational response protocols during sustained system outages.