DDoS attack brought down government websites for 2 hours

According to the response of the Minister of Digitalisation, Stéphanie Obertin, to parliamentary enquiry No. 1766, Luxembourg government websites were subjected to a massive DDoS attack on 10 January 2025. The attack lasted from 13:05 to 14:55, during which time the government's websites were inaccessible.

At the same time, there were disruptions in LuxTrust's operations, which made it impossible for users to log into online services using LuxTrust's electronic signature until 18:00. This affected not only citizens, but also internal systems of civil servants that require two-factor authentication.

However, government employees were able to continue working thanks to an alternative login method using a one-time password (OTP).

The Centre for State Information Technology (CTIE) is constantly updating cyber security using data from past attacks - particularly the incidents of March and October 2024. To improve defences, new technologies are regularly introduced to counter increasingly sophisticated attacks.

CTIE does not disclose the technical details of its defence measures, but confirms that it reflects malicious traffic on a daily basis.

The PIU Cyber National Emergency Response Plan regulates the government's response to large-scale cyber incidents. It defines priorities and strategy for combating cyber threats, as well as interaction between public and private entities.

The attack on 10 January 2025 was not critical, but showed the vulnerability of digital services, especially in the event of a LuxTrust outage. Luxembourg authorities continue to strengthen cyber infrastructure defences, but risks remain given the growing number of cyber threats in Europe.