Luxembourg Hit by “Sophisticated” Cyberattack: Huawei Equipment Targeted, Mobile Networks Down for Hours

The government of Luxembourg has launched an official investigation into an unprecedented disruption of the national telecommunications system that occurred on July 23. The cause of the outage, which left 4G and 5G mobile networks inoperable for over three hours, was a cyber incident targeting Huawei equipment embedded within the infrastructure of the state-owned telecom provider, POST Luxembourg.

The repercussions were deeply felt. With the outdated 2G network overwhelmed, a significant portion of the population was unable to contact emergency services. Simultaneously, the breakdown in cellular connectivity disrupted internet access and electronic banking services nationwide. Even the national alert mechanism failed: emergency notifications were not delivered to recipients, as the system also relies on POST’s mobile infrastructure.

According to officials, the attack was not intended to steal data or breach network systems. Its apparent aim was to destabilize critical services. As the director of POST clarified, the techniques employed were “exceptionally sophisticated and technologically intricate.” Nevertheless, preliminary assessments indicate that internal systems and stored data were not compromised.

Of particular concern is the exploitation of a vulnerability in a standardized software component used in Huawei’s network equipment. Although official statements refrained from naming the vendor directly, the publication Paperjam reported that Huawei routers were the focal point of the attack. In response, the regulatory authority for critical infrastructure has urged all organizations utilizing such devices to immediately contact the National Cybersecurity Incident Response Center (CSIRT).

Previous vulnerabilities in Huawei’s network operating system, VRP, which underpins its enterprise products, have indeed been documented—some of which enabled remote denial-of-service attacks. However, no new critical flaws have been disclosed in public sources.

While CSIRT specialists continue their meticulous forensic analysis, the public prosecutor’s office has also been engaged to determine whether criminal offenses were committed and to identify any responsible parties. Additionally, a crisis cell under the High Commission for National Protection (HCPN) has been activated to coordinate response efforts in real time.

This incident has also prompted an acceleration in Luxembourg’s digital resilience strategy. As part of an ongoing national cybersecurity review, authorities are reassessing risks linked to single points of failure. Regulatory reforms are under discussion, including the possibility of enabling automatic switching between cellular networks from different providers during outages—a safeguard already implemented in the UK, Germany, and the United States to ensure continuity of communications in emergency situations.