A cyberattack was the cause of a major outage which hit the Post Luxembourg network on Wednesday, disrupting internet and phone connections across the country for several hours, Post and the government have said.

The entire Post network was affected during the outage, which also impacted people trying to contact emergency services – leading to a nationwide alert being sent – and was a factor contributing to delays which affected 40 flights at Luxembourg Airport throughout Wednesday. 

In a statement on Friday afternoon, Post said that investigations had revealed the outage was the result of  “a targeted cyberattack of a particularly advanced and sophisticated technical level”.

The admission is a U-turn from earlier comments by Post director Claude Strasser, made at a press conference on Thursday, when he said that “we have no evidence that it was a cyberattack,” although he also admitted that analysing the cause of the problem had been “difficult”.

On Friday, Post said that is has so far not been possible “to identify the origin or perpetrator of the attack” but that it is preparing a report to the public prosecutor’s office about the incident.

“It has been established that this attack did not result in any intrusion into Post’s internal systems. No data was compromised or exfiltrated. This attack aimed to disrupt the operation of services,” Post said in a press release.

“This malicious operation exploited a software vulnerability in a standardised component to cause a large-scale malfunction and widespread unavailability of services,” Luxembourg’s largest telecoms service provider said.

Countermeasures implemented in response to the attack on Wednesday “have proven effective and continue to ensure the stability and security of services”, Post added.

The cyberattack was also confirmed in a separate statement on Friday by the government’s crisis unit, which had met to discuss the situation.

“The HCPN [High Commissioner for National Protection] is coordinating the detailed analysis of the incident at Post and its repercussions in close collaboration with all stakeholders involved, in order to develop measures to increase the resilience of essential systems,” the crisis unit said in its press release.

It is the latest in a series of cyberattacks on Luxembourg websites and services in the past year.

In January, a number of websites including MyGuichet and LuxTrust were inaccessible for a period of around two hours, while in spring 2024 a sustained attack at various stages over a two-week period took several government websites and services offline.

In both instances, pro-Russian hacker groups claimed responsibility, although the government did not confirm the origin of the attacks.