Recent DDoS Attack Impacts Swedish Transit Site

On Friday, August 16 in Stockholm, Sweden, the Stockholm Public Transport (SL) website was hit by a powerful DDoS attack. SL is the company in charge of bus and rail service in the Swedish capital. Fortunately, it affected only the website and apps for purchasing tickets and planning routes, as well as some of the electronic information panels at various stops, rather than the transport services themselves.

According to a post by City Network Hosting (the company that hosts the Stockholm Public Transport agency) the attack was mitigated after approximately six hours: “Technicians are on their way to our Stockholm datacenter to install additional hardware and security systems. The Stockholm node has been in Beta since its (sic) launch in early June (sic) and we will now do some maintenance before launching the service.”

The ramifications of an attack on public transport services could have been much more serious but, either way, such attacks are costly, not only in terms of the logistical impact on the transit riders, but also in terms of personnel resources needed to react to the crisis, and additional hardware or services needed to mitigate the attack. It is not clear from public reports in the media what type of mitigation was deployed to resuscitate Stockholm transport’s website and web applications. However, the costs of such DDoS attacks are hard to measure; mitigation costs can scale into the tens of thousands of dollars. The monthly fee for cloud-based protection, for example, can appear quite affordable, but in the event of an actual attack those costs can escalate to staggering levels, depending on the size and duration of the attack. Plus, there’s the challenge presented by the initial time-to-mitigation for such services, which leaves the target being subjected to the full force of the attack for a significant period of time, before protection actually engages.

Unfortunately, this is not the first time that a major Swedish organization has been hit with a crippling DDoS attack, and it probably won’t be the last time. In mid-December 2014, Telia, Sweden's largest ISP, suffered a series of outages that left its customers offline intermittently; in that case a mystery gaming site, not the ISP, was the intended target of the cybercriminals, but the ISP suffered collateral damage. In mid-October 2017 a DDoS attack was blamed for the partial shutdown of Sweden's Transport Agency (Transportstyrelsen) website; that incident occurred one day after Sweden's Transport Administration (Trafikverket) was targeted in what was later also confirmed as a DDoS attack that caused train delays across large parts of Sweden.

The Swedish DDoS attacks are clear examples of how critical infrastructure is vulnerable to DDoS attacks. One typically thinks of critical infrastructure only in terms of energy, utility and transit systems; however, Internet service is also a crucial part of a city, state or national economy. Losing Internet service during an online gaming session is arguably a mere inconvenience, but the inability to operate online can be catastrophic to a business or government. So, are government agencies adequately prepared to defend against future DDoS attacks? That depends. For example, a year ago Corero learned that more than two thirds of UK critical infrastructure organizations (70%) have suffered from service outages on their IT networks in the past two years. As well as the direct impact of an attack, such organizations are also now at risk of receiving fines under the Network and Information Systems Regulations 2018 legislation.

Whether a DDoS attack against critical infrastructure is orchestrated by a lone actor or a nation-state, it can cause economic damage and threaten public safety. Knowing that cybercriminals do target transit systems, and other public services, the relevant agencies must now be prepared with the appropriate technology to defend the general public. The most effective way to defeat these disruptive and damaging threats is with always-on DDoS protection that can detect and mitigate the attacks in real-time.

The simplest solution is to leverage one of the many ISPs that are now in a position to protect their downstream customers—both enterprises and government agencies. More and more ISPs are deploying advanced DDoS mitigation solutions, be it on-premises purpose-built DDoS defense, a cloud scrubbing service, or a hybrid combination of the two. By deploying DDoS protection at the top of the funnel, Service Providers protect their own infrastructure while offering a comprehensive security solution to their customers, either by default, or as a paid-for managed service. In fact, many ISPs now offer DDoS Protection as a Service (DDPaaS), to their downstream customers, which makes DDoS protection seamless, affordable and easy.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.