Cyber Incident Victim: Luxembourg Government

On March 21, 2024, Luxembourg experienced a significant cyberattack targeting multiple government and private-sector websites, marking the first major incident of its scale in the country. Pro-Russian hackers claimed responsibility for coordinated distributed denial-of-service (DDoS) attacks that disrupted access to critical online services, including myguichet.lu, gouvernement.lu, the Chamber of Deputies website, and the Luxembourg Army’s site. The attackers, operating under a politically motivated agenda, publicly justified their actions on Telegram and Twitter by citing Luxembourg’s financial support for a Czech-led initiative to procure artillery ammunition for Ukraine from non-EU countries. They derogatorily referred to Luxembourg as a "dwarf state" and concluded their statement with "Glory to Russia." The attack overloaded servers with simultaneous connection requests, causing extended outages from morning until early evening, with intermittent restoration efforts. Private-sector entities, including the website of the Akademischer Verein d‘Lëtzebuerger (a student club mistakenly targeted instead of the AVL bus network) and the Tageblatt newspaper, were also affected. Prime Minister Luc Frieden activated a crisis unit led by Digitalization Minister Stéphanie Obertin, coordinating responses across multiple agencies, including the High Commission for National Protection (HCPN), the Defense Directorate, the Police, the Luxembourg Intelligence Service, and the Computer Incident Response Center Luxembourg (CIRCL). The government’s Center for Information Technology (CTIE) implemented countermeasures by identifying and blocking malicious traffic sources, though CTIE Director Patrick Houtsch acknowledged the attackers’ adaptability and the uncertainty regarding the attack’s duration. No data breaches or permanent damage were reported, but the incident exposed vulnerabilities despite Luxembourg’s investments in cybersecurity infrastructure like the NATO-affiliated Cyber Defense Cloud.

The attacks persisted into late March, with a second wave targeting government portals on March 26 and municipal websites on March 27. On March 26, the same pro-Russian group, identified as NoName057(16), launched renewed DDoS strikes against Guichet.lu, the Interior, Finance, Justice, and Mobility Ministries, the Police, ADEM (employment agency), and STATEC (statistics office). The HCPN confirmed these sequential attacks, which again exploited server overload tactics. By March 27, the hackers shifted focus to municipal websites in Differdingen, Vianden, Diekirch, and Ettelbrück, boasting on their Telegram channel about disrupting Vianden’s site. Most municipal services, including Differdingen and Ettelbrück, were restored by 17:30 that day, but Diekirch’s site remained under maintenance with officials acknowledging a potential cyberattack link. The HCPN’s crisis team maintained continuous monitoring and adaptive defense measures to mitigate impacts. Luxembourg’s response emphasized resilience, with CTIE refining its strategies through real-time incident handling and collaboration with NATO-aligned cybersecurity frameworks. The incidents underscored the persistent threat of geopolitically motivated cyber operations, though no critical infrastructure compromises or data losses were confirmed beyond temporary service interruptions.