Post cyberattack a ‘warning shot’, MP says

Last week’s cyberattack that knocked out Post’s network and paralysed emergency call services has exposed critical gaps in Luxembourg’s digital infrastructure, and was the subject of an extraordinary parliamentary committee meeting on Thursday.

“We don’t know who attacked us,” said LSAP MP and former Minister of the Economy Franz Fayot, who attended the meeting. “This is problematic. The public deserves an answer,” he said.

Fayot described the cyberattack as a “warning shot,” stressing the need for legislators to establish stricter guidelines for protecting critical infrastructure and ensuring emergency services remain functional during cyber crises.

Post Luxembourg has filed charges against unknown persons in connection with the attack. However, no group has claimed responsibility, and authorities remain uncertain whether the perpetrators are state actors, criminal groups, or others.

The disruption left the network down nationwide for four hours, disrupting the interface between Post and its customers. Attackers exploited a software vulnerability in routers – including those manufactured by Huawei – installed across Post’s network.

While Huawei technology was involved, it was neither central to the system nor part of the 4G and 5G networks, which also incorporate equipment from Ericsson and other European manufacturers. Prime Minister Luc Frieden said in reply to an urgent parliamentary question that efforts are underway to replace technology from manufacturers outside the EU.

No consequences in hospitals during the outage

Despite the severity of the outage, no injuries or delays with negative consequences for patients were reported, according to checks carried out in hospitals. Emergency services had to act without access to Post’s telephone network, but the disruption was managed “smoothly,” said Fayot.

A snowball effect following the initial router hack caused the internet outage to cascade into the telephone network, raising concerns over the interdependence of these critical systems. LSAP lawmaker Ben Polidori on Thursday called for greater system independence to ensure telephone networks remain operational even if the internet goes down.

Post is working to prevent a repeat incident.

Polidori also expressed scepticism about the claim that the attack was unrelated to recent similar cyber incidents affecting telephone networks in Belgium, France, and the UK. “It really must have been a huge coincidence,” he said.

Luxembourg is increasingly exposed to cyber threats, Polidori claimed. “Even if I don’t like the word, we are in the midst of a cyber war. The number of attacks will only increase,” he said.

Post could not confirm whether the attack had a political motive or if Russia was involved.

Calls for stronger legal frameworks and better crisis communication were prominent during the committee meeting in parliament. The current system’s backup infrastructure was routed through the same provider as the main system, a vulnerability exposed during the attack.

How crisis communication was handled was also criticised. The government’s LU Alert message was delayed and unclear, with some interpreting it as overly alarmist. Interior Minister Leon Gloden, who also attended the meeting in parliament, promised improvements, including the preparation of tiered alert messages for future emergencies.

(This article has first been published by the Luxemburger Wort. Machine translated, with editing and adaptation by Lucrezia Reale.)