Swiss Parliament Website Taken Offline
by DDoS Attack

What happened

The website of the Swiss Federal Parliament, parlament.ch, experienced repeated disruptions starting on Tuesday, June 24, 2026. The portal, which publishes the latest resolutions of the National Council and Council of States and their subsidiary bodies, displayed maintenance messages throughout Tuesday and continued to show intermittent outages on Wednesday, June 25.

Parliamentary Services confirmed that a cyberattack was responsible for the outages and stated they could not estimate when the website would be fully accessible again. The attack has been identified as a DDoS (Distributed Denial of Service) attack, where servers are flooded with simultaneous requests until legitimate access is blocked.

It is not yet clear who is behind the attacks.

A pattern, not an isolated incident

This is not the first time Swiss government infrastructure has been targeted. DDoS attacks against Swiss authorities have become a recurring pattern, with incidents increasing in frequency and tied to geopolitical events. According to ENISA, DDoS accounted for 60% of all cyber incidents targeting European government entities, with public administration being the most targeted sector at 38% of all incidents across the EU.

The NoName057(16) pattern

The pro-Russian hacktivist group NoName057(16) has been active since March 2022 and has claimed responsibility for multiple attacks on Swiss infrastructure. The group uses a crowdsourced DDoS tool called DDoSia, distributed via Telegram, that rewards volunteers with cryptocurrency for participating in attacks. Targets are chosen based on geopolitical triggers: sanctions votes, summit attendance, statements of support for Ukraine.

In July 2025, Europol's Operation Eastwood seized over 100 servers across Switzerland, the US, and several EU countries associated with the group. It did not stop them. Attack command volume actually increased afterward, from roughly 6,300 commands per month to over 7,700. The group has continued campaigns across France, the UK, Germany, Poland, Spain, Italy, and Romania throughout late 2025 and into 2026.

The attacks themselves are not sophisticated. They do not need to be. A government website going offline during a summit or a sanctions vote generates headlines, and generating headlines is the entire objective of hacktivist DDoS campaigns.

Why government websites are easy targets

Government websites are disproportionately vulnerable to DDoS attacks for reasons that are structural rather than technical.

• Procurement cycles prevent rapid response. Government IT procurement operates on timelines measured in months or years. When an attack starts, there is no option to sign up for a scrubbing service and deploy it in an afternoon. The protection has to already be in place, and the budget for that protection has to have been approved well in advance.
• Attention is the objective. Most DDoS attacks against commercial targets aim to cause revenue loss or extort a ransom. Attacks against government websites aim to generate media coverage. The bar for success is much lower: a few hours of downtime generates the desired press attention regardless of whether any data was compromised or any lasting damage was done.
• Infrastructure budgets are fixed. A hosting company under attack can scale up protection spending as a direct business cost. A government IT department cannot request an emergency budget allocation during an active attack. The protection capacity that exists at the moment the attack starts is all there is.
• Public-facing services must remain accessible. Government portals cannot sit behind aggressive bot management or JavaScript challenges without creating accessibility barriers for citizens. This limits the mitigation options available compared to commercial web applications.

Switzerland's new reporting obligation

Since April 1, 2025, Switzerland has had a mandatory reporting obligation for cyberattacks on critical infrastructure under an amendment to the Information Security Act. Organizations affected by cyber incidents, including energy and water suppliers, transport companies, and cantonal and municipal public administrations, must report incidents to the Federal Office for Cybersecurity (BACS) within 24 hours. A complete report is due within 14 days. Non-compliance carries penalties of up to CHF 100,000, enforceable since October 2025.

BACS (Bundesamt fur Cybersicherheit, formerly the National Cyber Security Centre) serves as the central coordination point for cybersecurity incidents affecting Swiss critical infrastructure. By early February 2026, BACS had already received 264 reports of cyberattacks on critical infrastructure under the new framework. Of those reports, DDoS accounted for 18.1%, followed by unauthorized access (16.1%) and ransomware (12.4%).

The reporting obligation is a step forward for incident visibility and cross-entity coordination. But reporting an attack after the fact does not prevent the next one. The infrastructure and processes that detect and mitigate DDoS attacks have to be operational before the traffic starts.

What operators can learn from this

Whether you run government infrastructure, ISP transit, or customer-facing hosting, the parlament.ch incident reinforces a pattern that plays out the same way every time.

The attack is not the hard part

DDoS attacks against web applications are operationally simple. Booter services and botnet-for-hire operations make it possible to launch a multi-hundred-thousand PPS flood for a few dollars. The technical barrier to executing an attack is near zero. The only defense is having detection and mitigation in place before the traffic arrives.

Detection speed determines impact

The difference between a DDoS attack that causes a multi-day outage and one that generates a brief alert is detection speed. Flow-based detection systems that rely on NetFlow or sFlow telemetry from routers typically detect attacks in 30 to 60 seconds. Per-server agents that monitor traffic directly at the kernel level detect in under one second. For a 30-second burst attack, the flow-based system may not fire an alert before the attack ends. The per-server agent fires at second one.

Mitigation without detection is guessing

Upstream scrubbing services and BGP blackholing are mitigation tools. They are effective when triggered correctly. But they require a detection signal to activate. Without per-server visibility that tells you exactly which server is being targeted, what type of traffic is hitting it, and at what volume, your mitigation options are limited to broad responses (blackhole the target IP) rather than surgical ones (rate-limit UDP from port 53 while keeping TCP connections alive).

PCAP evidence matters for coordination

Switzerland's 24-hour reporting obligation to BACS requires incident data. Flow-level summaries tell you that traffic was elevated. PCAP captures tell you exactly what the attack looked like at the packet level: source IP distributions, packet sizes, protocol specifics, and attack vector identification. When coordinating across agencies or working with upstream providers to trace attack infrastructure, packet-level evidence is what moves the conversation forward.

Frequently asked questions

Related Articles