Cyber Incident Victim: Luxembourg City
Date:
Mar 2024
Location:
Luxembourg
Summary
Pro-Russian hackers, including the group NoName057(16), conducted a series of DDoS attacks targeting government and municipal websites, causing temporary disruptions to services including ministerial portals, police resources, and local administration sites. The attackers cited opposition to the country's financial support for a Czech-led initiative supplying artillery ammunition to Ukraine as motivation. The High Commission for National Protection activated crisis response teams involving multiple security and technical agencies to mitigate attacks, successfully restoring most services promptly while monitoring ongoing threats. Some private sector entities and non-governmental websites were also inadvertently affected during these coordinated campaigns, though impacts varied across targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A series of distributed denial-of-service (DDoS) attacks targeted Luxembourg's digital infrastructure between March 21 and March 27, 2024, with pro-Russian hacker group NoName057(16) claiming responsibility. The initial attack on March 21 disrupted multiple government websites including myguichet.lu, gouvernement.lu, and the Chamber of Deputies site, alongside private sector platforms. Hackers flooded servers with simultaneous connection requests, overwhelming systems and causing extended outages. The group justified the attack through Telegram and Twitter statements referencing Luxembourg's financial support for a Czech-led initiative to procure Soviet-era artillery shells for Ukraine, calling the nation a "dwarf state" and concluding with "Glory to Russia." Luxembourg's Computer Incident Response Center Luxembourg (CIRCL) and the Center for Information Technology of the State (CTIE) implemented source identification and blocking measures, restoring most services by evening. Prime Minister Luc Frieden activated a crisis unit led by Digitalization Minister Stéphanie Obertin, coordinating defense efforts across 14 agencies including the High Commission for National Protection (HCPN), police, army, and intelligence services.
The attacks resumed on March 26 with renewed DDoS strikes against government portals including Guichet.lu, Interior Ministry, Finance Ministry, Justice Ministry, and police websites. NoName057(16) announced this second wave via Telegram, collaborating with allied hacker groups to launch sequential assaults throughout the day. On March 27, attackers shifted focus to municipal websites in Differdingen, Vianden, Diekirch, and Ettelbrück, briefly disabling Vianden's site before restoration by 17:30. Diekirch's platform displayed maintenance messages potentially linked to cyber interference. HCPN's operational team continuously monitored threats and adjusted defensive protocols to minimize disruptions. While most municipal services recovered swiftly, the sustained campaign revealed collateral damage including the mistaken targeting of www.avl.lu (a German student association's site) and Tageblatt newspaper's platform. CTIE Director Patrick Houtsch noted the attackers' adaptability but confirmed successful mitigation through source blocking, emphasizing Luxembourg's prior investments in NATO-aligned Cyber Defense Cloud infrastructure and cyberrange training simulations specifically designed to counter DDoS tactics.