Cyber Incident Victim: City of Bend

On June 12, 2023, several websites and online services belonging to the Swiss federal administration and federally associated companies were rendered temporarily unreachable due to a series of distributed denial-of-service (DDoS) attacks. The attacks targeted the IT systems of the federal administration and were confirmed to have affected a large portion of its web presence. The National Cyber Security Centre (NCSC) indicated that the assault appeared to be aimed at the entire federal administration as a whole. For a period of time, the majority of the federal administration's websites, those of federally associated companies, and several federal applications were unavailable. Among the specific entities impacted were the Swiss Federal Railways (SBB); a company spokesperson confirmed that its website and online services were affected by the server overload attacks on Monday morning.

The pro-Russian hacktivist group known as “NoName057(16)” publicly claimed responsibility for the cyber incident. This same group was also behind a previously publicized attack on the Swiss parliament’s website, parlament.ch, the prior week. The group’s motivation is its opposition to Western support for Ukraine following Russia's invasion. The timing of the June 12th attacks was linked to Russia's national holiday, known as "Russia Day," which commemorates the declaration of Russian sovereignty from the USSR on June 12, 1990. The group announced its actions in a message published on a Telegram channel.

Specialists within the federal administration rapidly detected the ongoing attack and immediately implemented measures to restore the availability of the websites and online applications as quickly as possible. The Eidgenössisches Finanzdepartement (EFD), or Federal Department of Finance, communicated this information in a public statement on Monday. The technical nature of a DDoS attack involves overwhelming websites and other publicly accessible online applications with a massive volume of automated requests, causing them to become unreachable due to server overload. It was explicitly noted that these attacks do not constitute a traditional intrusion into protected IT systems; the perpetrators do not breach security to access or exfiltrate data. Instead, they bombard internet-accessible servers with requests until they can no longer respond to legitimate traffic.

The Swiss Federal Office of Attorney General confirmed that these attacks became part of an existing criminal investigation. The office had previously announced the opening of a criminal procedure based on the attack on the parliamentary services' website. Upon inquiry, the authority stated that the attacks from Monday, June 12th, were also subject to these ongoing investigations. The DDoS attacks are viewed as a form of retaliatory measure against the economic sanctions imposed on Russia by Western nations. The NoName057(16) group has a history of such actions, having previously targeted the Italian military online after Italian Prime Minister Giorgia Meloni expressed her support for Ukraine and pledged full backing for its war efforts. Furthermore, over the preceding months, the group had executed numerous DDoS attacks against European logistics and transport companies, expanding their targeting beyond government entities.

The group first emerged in March 2022, shortly after the beginning of Russia's illegal war of aggression against Ukraine. Its initial activities involved claiming responsibility for DDoS attacks on websites belonging to Ukrainian, American, and European state organizations and authorities, media houses, and private companies. While the primary focus of the June 12th attack was Swiss federal infrastructure, the group's broader pattern of activity also includes targeting Ukraine itself. The possible existence of a connection between these DDoS attacks and a planned address by Ukrainian President Volodymyr Zelenskyy before the Swiss federal parliament, scheduled for the afternoon of Thursday, June 15th, was reported as being unknown at the time of the incident. The impact of the attack was temporary, with services being restored after the implementation of defensive measures by federal IT specialists. The incident highlighted the ongoing threat posed by politically motivated hacktivist groups and their use of relatively simple but disruptive techniques to target government digital infrastructure in response to geopolitical events.