Cyber Incident Victim: Kanton Basel-Stadt
Date:
Jun 2023
Location:
Switzerland
Summary
The Kanton Basel-Stadt was impacted by a DDoS attack which rendered its official website inaccessible or slow for several hours. The attack, attributed to the NoName group, involved flooding the site with over 100,000 requests per second to cause a temporary denial of service. IT specialists detected the incident early and implemented successful countermeasures, restoring most systems to normal operation. No data was compromised during the attack, which also affected numerous other Swiss cantons, cities, and federal organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the morning of June 14, 2023, the website of the Kanton Basel-Stadt, www.bs.ch, became unreachable or only accessible with significant delays. This disruption began at approximately 8:15 AM and was the direct result of a Distributed Denial of Service (DDoS) cyberattack. The attack was characterized by an overwhelming flood of internet traffic directed at the canton's web servers, with the volume of malicious requests exceeding 100,000 per second. The primary objective of this type of offensive is not to steal or damage data but to render a targeted online service temporarily unavailable by saturating its capacity to handle legitimate requests. The Kanton Basel-Stadt was not the sole target; this incident was part of a broader campaign affecting other Swiss cantons, cities, and organizations, including the Swiss federal government and the national railway company, SBB.
The group identified as responsible for orchestrating this attack is known as NoName. This attribution was made by the Kanton Basel-Stadt based on the attack patterns and the group's public claims of responsibility for a series of similar incidents against Swiss entities in the days immediately preceding this event. The NoName group had previously targeted the Swiss Confederation and the SBB, establishing a pattern of disruptive attacks against public sector and critical infrastructure websites. The attack on Basel-Stadt was therefore a continuation of this coordinated campaign, leveraging a distributed network of compromised devices to generate the massive traffic volume required for the denial-of-service operation.
IT specialists within the Kanton Basel-Stadt's organization detected the anomalous traffic patterns indicative of the DDoS attack early in its execution. Upon identification, these technical teams promptly initiated pre-planned countermeasures designed to mitigate such incidents. The specific nature of these defensive actions was not publicly disclosed due to security policies aimed at protecting operational details from future adversaries. However, the implemented response protocols were effective in gradually restoring service availability. By 11:00 AM on the same day, the majority of the affected systems were reported to be running again without disruption, marking a significant containment of the incident within a window of under three hours.
Despite the successful restoration of services, the authorities acknowledged the potential for further intermittent outages throughout the remainder of the day. The dynamic nature of DDoS attacks means that attackers can sometimes adapt their methods or persist in their efforts, requiring defenders to remain vigilant and continue adjusting their defensive postures. The incident resulted in a service interruption lasting nearly three hours, during which time citizens and other users were unable to reliably access the information and services hosted on the primary cantonal website. The impact was confined to the availability of online services; no data was compromised, exfiltrated, or damaged during the attack, as a pure DDoS attack does not involve breaching security perimeters to access or alter data.
Following the initial containment, the response effort shifted to analysis and adaptation. The Kanton's IT professionals undertook a detailed analysis of the attack vectors, traffic sources, and methods employed by the NoName group. This forensic process is crucial for understanding the scope of the incident and for strengthening defenses against similar future attacks. The findings from this analysis were used to continuously adapt and refine the existing security measures and incident response plans. The public communication from the canton emphasized that while the immediate threat was neutralized, the work of hardening systems against evolving threats is an ongoing process, necessitated by the persistent risk posed by hacktivist and other cyber threat groups. The incident underscored the vulnerability of public sector digital infrastructure to relatively simple but high-volume attacks and highlighted the importance of having robust detection and mitigation capabilities in place to ensure the continuity of essential online services.