Luxembourg Must Learn From POST Cyberattack

On the afternoon of Wednesday 23 July 2025, mobile phones across Luxembourg blared and vibrated as the national alert system kicked in to warn of a significant network outage affecting the country’s emergency contact lines.

It transpired that telecommunications company POST was experiencing a “major technical incident” in relation to its communication network. An incident the state-owned enterprise later described as an “exceptionally advanced and sophisticated” cyberattack.

Although POST clarified that the attack did not breach its internal systems and no data was compromised or exfiltrated, it did affect access to a number of key services which rely on POST’s telecommunications network and its associated systems. During the attack, POST’s phone, internet and banking services were unavailable to customers for a time, with the lack of phone service preventing access for many to the country’s 112 and 113 emergency numbers. This triggered the country’s national alert system (LU-Alert), setting off alarm bells both physically and metaphorically.

One of the key aspects in any piece of IT infrastructure are contingency protocols. Contingency for when all or part of an active system goes down unexpectedly. These protocols are designed and put into place to ensure that critical operational ability can still be achieved despite an event, or events, impacting a system’s operation. The more interconnected parts a system has, the more complex the contingency planning must be. The more fundamental the system, the more important the contingency mechanisms put in place.

Major companies create these types of protocols for hardware failures (e.g. network outages, damaged infrastructure), software failures (badly implemented software releases, unforeseen software issues), service failures (power cuts, reliance on external providers) and outside events (flooding, earthquakes) because contingency isn’t just about ensuring the wheels of industry keep turning, it also saves lives.

Thankfully there were no notable ramifications as a result of the outage of the emergency phone lines (aside from the headaches it undoubtedly caused the network staff at POST) but this was hardly because of the advice provided to the public by the LU-Alert system.

“In case of emergency and impossibility to reach the 112: Try and select another provider. Otherwise go by yourself to the hospital or to the nearest fire station.”

That alert was delivered in Luxembourgish, French and English; but the complete lack of context - in any of those languages - is both astonishing and unsettling. It is possible to make sense of the alert after the fact, but when one’s phone is suddenly going off like a klaxon, it was near impossible to decipher what was taking place based on that choice of words.

Surely the purpose of these alerts is to provide the most pertinent information in relation to a situation, whilst attempting to alleviate panic or confusion?. The government’s LU-alert.lu website states: “Warning and informing the population is an essential tool to enable citizens exposed, or likely to be exposed, to an event that could affect their physical integrity or that of their property, to prepare themselves by taking the useful and necessary precautions.”

Realistically, the service is limited to the number of characters that can reasonably be included within the alert but, again, the lack of context makes the information in the alert almost meaningless. A simple inclusion of something along the lines of “Due to network issues” would have at least made the message make some form of sense. Instead, it came across as if a major event had happened and should something happen to you, do not expect the emergency services to be available to come to your aid. For some people, the thought of something happening at Cattenom crossed their minds…

While not every warning for every scenario can be catered for, a little thought into the psychology behind the messaging would go a long way to both alleviating confusion and reinforcing the reputation and importance of the LU-Alert system, which has suffered in the eyes of many recently due to both its implementation and its testing schedules.

Yet, that all pales into insignificance in comparison to the significance of the problems caused by the cyberattack itself. That a single event was able to knock out essential communication channels and internet and banking access so effectively should be a wake-up call to both POST and the government. After all, this is a state-owned company.

POST revealed the outage was caused by the deliberate exploitation of Huawei-branded routers and software, which affected POST’s “core network” - the central hub from which all telecommunications originate. POST's CEO, Claude Strasser, explained that while the internet and the fixed and mobile communications networks are separate, they are linked by the software that manages them. This ultimately had repercussions for both the fixed and mobile networks and led to the scale of the outage of POST’s services.

As the cyberattack caused the 5G and 4G mobile networks to fail, an automatic fallback to the lower speed 2G network kicked in, but only worked briefly due to the high level of saturation on a network not designed to handle such volumes of data. This, in turn, impacted the delivery of LU-alert notifications to certain mobile phones. The old adage that a chain is only as strong as its weakest link had been very dramatically demonstrated.

Mercifully, the actor(s) behind the attack on POST’s infrastructure were most likely just probing at weak points, what Luxembourg’s former Minister of the Economy, Franz Fayot, called “a warning shot”. Combine the targeting of such weak points with a large-scale event such as a terrorist attack, military assault or the Cattenom Nuclear Plant suffering a significant incident, and you would have a recipe for disaster and mayhem. The current implementation of the LU-Alert system would do little to help under those circumstances.

With people ever more reliant on mobile networks, this type of outage not only prevents the average user from communicating digitally but also impacts people who are part of the emergency services. With the Grand Ducal Police Force uncontactable during the attack over certain networks, their suggestion that people should contact them via social media channels or email was almost embarrassing. Thankfully, it only took POST around three hours to resolve the issues and return vital services to operating order.

The cyberattack on POST is nothing new. Various types of cyberattack happen in Luxembourg (and elsewhere) on an almost daily basis. Outside of the recent POST incident, MyGuichet and LuxTrust services suffered DoS attacks in January of this year, as did the Ministries of Finance and Justice, STATEC and Guichet.lu in March 2024. And Proximus suffered a cyberattack days after POST. Every year, Luxembourg’s own House of Cybersecurity assists organisations with thousands of cyber incidents. By their own estimates, only around 30 to 40 of these could be considered as high-profile but they are not generally reported to the public and the perpetrators are often not identified.

Yet, for many, this time was different because the mention of technology manufacturer Huawei immediately raised eyebrows - not because there is a suggestion of implication towards them but because it highlighted concerns raised as far back as 2010 by authorities in the US and Europe about the wide-use of Chinese telecommunications equipment technology within critical infrastructure.

A decision by the UK government in 2020 to ban local telecom firms from using Huawei equipment in the deployment of the country’s 5G networks cost the UK’s main telecommunication company BT an estimated £500 million (€575.5 million). In August 2018, the then US President Donald Trump signed the National Defence Authorisation Act for Fiscal Year 2019, which contains a provision barring the US government from purchasing hardware from Huawei on the grounds of cybersecurity issues. At present, eleven EU Member States have enacted legal measures against Huawei and other suppliers such as China’s ZTE to prevent their technology being implemented in 5G infrastructures and other networks. That none of these measures come cheaply, reinforces the magnitude of such decisions, both economically and politically.

Ultimately, this latest cyberattack raises a number of serious questions in regard to Luxembourg’s existing telecommunications infrastructure, including its components, configuration and contingency protocols and the quality of the LU-alert system. It has left the state-funded POST with a bloody nose, yet it could prove to be a blessing in the long term, forcing the authorities and POST to wake up to the ever-growing impacts of what is a serious problem: our reliance on an ever more interconnected world. Let us heed the alarm now before we receive another on our phones.