Cyber Incident Victim: ÖBB
Date:
Dec 2022
Location:
Austria
Summary
A distributed denial-of-service (DDoS) attack targeted the Austrian Federal Railways' systems, causing significant disruptions to its website accessibility and online ticket sales. The attack rendered the website intermittently unavailable or extremely slow to load, while users reported complete failures in purchasing tickets and instances of duplicate payment charges. All online services were impacted during the incident, with restoration efforts officially completed by midday though intermittent accessibility issues persisted for some time afterward. The organization confirmed the cyberattack's nature after initial operational statements cited technical problems without specifying the cause.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 16, 2022, ÖBB experienced significant disruptions to its online services starting Friday morning. Users reported extreme delays in loading the ÖBB website, with complete inaccessibility occurring intermittently. The online ticket purchasing system faced severe operational issues, with multiple complaints indicating transactions either failed entirely or resulted in duplicate charges to customers' accounts. ÖBB initially acknowledged a technical problem via Twitter, stating teams were working on a resolution but did not publicly disclose the root cause during the early stages of the incident. Independent analysis by futurezone, based on source information, suggested a potential cyberattack, though technical indicators pointed specifically to a distributed denial-of-service (DDoS) incident rather than a conventional intrusion.
ÖBB subsequently confirmed the disruption resulted from a DDoS attack impacting all online services. The company completed mitigation efforts by 12:30 PM local time, restoring core functionality. Despite this remediation, intermittent website availability issues persisted as late as 2:22 PM, indicating residual instability during the recovery phase. The attack caused tangible operational consequences, including disrupted ticket sales and financial transaction errors affecting customers. CERT.at, Austria's computer emergency response team, declined to comment on the incident, adhering to standard protocols requiring victim consent before public discussion. No threat actor group, motive, or ransom demand was explicitly identified in available reporting. Service normalization continued beyond the initial containment period, with lingering accessibility problems gradually subsiding.