A Huawei router is at the heart of Post’s infrastructure, hit by hackers whose origin and motives are as yet undetermined. Photo: Shutterstock

A Huawei router is at the heart of Post’s infrastructure, hit by hackers whose origin and motives are as yet undetermined. Photo: Shutterstock

The cyberattack that hit Post (and Luxembourg) last week is believed to have targeted Huawei routers and their operating software. The presence of the Chinese giant at the heart of the infrastructure raises questions. The public company says it is reserving its answers for the MPs and ministers who will meet this Thursday at 10am in parliament.

(Article updated at 9:00 with responses from Luc Frieden).

The hackers who --and indirectly Luxembourg--a week ago are believed to have attacked Huawei routers and their operating software. These are routers that in particular enable connection to European financial centres, from London to Paris, via Frankfurt or Amsterdam, according to two sources.

In an email that we were able to see, sent late on Friday to numerous players in Luxembourg, the department of the Luxembourg Regulatory Institute that oversees the cybersecurity and security of essential services networks and information systems (energy, drinking water, health, transport and digital infrastructures) is also inviting anyone using the “Huawei Enterprise router” in their network to contact their CSIRT, or Computer Security Incident Response Team.

Questioned on Monday, Post first repeated its position from last week--“we do not communicate on our suppliers”--before finally indicating that the public company was reserving its information for the special meeting, urgently requested by the opposition and which will take place this Thursday at 10am in parliament. As the politicians headed for their summer holidays, it is not known who of the four ministers invited to explain themselves, including the prime minister, will finally be present.

According to our sources, it was these Chinese routers that were the target of “a targeted cyberattack of a particularly advanced and sophisticated technical level. This malicious operation exploited a software vulnerability in a standardised component to cause a large-scale malfunction and widespread unavailability of services,” as Post described the incident late on Friday afternoon. A “standardised component” is a way of describing a piece of computer code that can be used in different situations to save time, to better monitor a possible cyberattack or to be more efficient when updating. But, when compromised, it causes problems wherever it is present.

Beyond the cyberattack itself, the presence of hardware from the Chinese giant at the heart of Post’s infrastructure raises questions. After using Huawei equipment for 3G and 4G, Orange and Proximus abandoned the idea of using Huawei equipment for 5G in the midst of global controversy, but the presence of this equipment at Post is more surprising. For BGP Tools, there is no doubt about it: each communications technology provider has an “organisationally unique identifier” which forms the first three blocks of a “MAC” address generally made up of six blocks. It is these addresses that enable communications to be sent to the right place. For one of the administrators of this service, there is no doubt that Post makes extensive use of Huawei routers for its “edge” network.

Questioned on this this highly sensitive subject, the prime minister, (CSV), said he had been informed of the presence of Huawei equipment in strategic locations for Post “following the incident.” “Post Luxembourg is an autonomous public company with management autonomy, although the state is its sole shareholder,” but, he added, “the government is currently conducting a thorough analysis of the incident and all its repercussions with the aim of strengthening the country's resilience.” Finally, he indicated that the High Commission for National Protection “does not provide recommendations regarding the use of certain technologies.”

This incident reignites a global controversy that began in 2017 when the US administration decided to ban Huawei and ZTE technologies from its soil, accusing them of being able to spy for the benefit of the Chinese government.

While the Chinese company, which has been present in Luxembourg for a long time, has not come back to us, that there is nothing to indicate that it was behind the attack. The company itself has no interest in having its software and hardware compromised by hackers, given the direct repercussions. And, according to its global annual report for 2024, it has more than 600 security certificates obtained for its products all over the world. This strategy came in response in particular to two reports.

The first, in 2019, by the US company Finite State--after analysing more than 500 Huawei software products--concluded that they had vulnerabilities greater than those of Juniper [also used in Luxembourg, editor’s note] or Arista, even mentioning flaws that could be used as backdoors--which, on the scale of Luxembourg, would be extremely serious. Huawei had strongly contested and criticised the US report, from the methodology employed to the results themselves.

The second, in quick succession, was done by Britain’s new security agency, which had decided to conduct one audit a year, often each more critical than the last until a spectacular U-turn in 2021. The agency had indicated that most of the problems had been resolved and that the audits were all the less justified given that the government had introduced an obligation to phase out Huawei: Chinese equipment must disappear from 5G infrastructure by the end of 2027 and a 35% cap on Huawei equipment has been imposed on the fixed-line market, regardless of network area.

In Luxembourg, politicians have been walking on eggshells since 2019, the media outlet the Land recalled in “The Huawei Spectrum,” published in August 2020. The weekly said that then prime minister  (DP) and then economy minister  (LSAP) were doing everything in their power to dilute any potentially embarrassing response behind a wording that is down to the millimetre, in which responsibility for the equipment is passed back to the operators, to the French or Belgian authorities (for operators linked to non-Luxembourg groups), or even to the European Union, to settle the thorny question: does having Huawei equipment in its technology stack put the operator, the country and the European Union at risk? More than seeing all our data, including that which is theoretically protected by the GDPR, sent to the United States? By the end of 2020, Orange and then Proximus had announced that they would do without Chinese equipment for 5G in favour of Nokia.

Successive bans

If Bettel were to call for a common European position, in order to rid themselves of any responsibility, European politicians have often added a layer to the recommendations of Enisa, the European cybersecurity agency. By June 2023, 24 EU member states had adopted the toolkit or were in the process of doing so, for example, by preparing legislation empowering local authorities to carry out security assessments. By the end of 2024, 14 member states, including Luxembourg, had adopted the 5G Tool Box, and some had taken steps to implement restrictions on high-risk suppliers, notes the Danish consultancy Strand Consult in its third study on Chinese market share, published last June. These include Sweden, Belgium and Lithuania, which have excluded Huawei from their markets.

Germany is the latest European country to take a somewhat firm stance. Huawei and ZTE components may no longer be used in German 5G core networks by the end of 2026, at the latest. Critical management systems from both manufacturers will have to be replaced in 5G access and transport networks by the end of 2029 at the latest.

The German government has reached an agreement on this with German mobile operators Telekom, Vodafone and Telefónica, interior minister Nancy Faeser stressed . A strategy that also embeds ZTE, which is also under contract with Post Group thanks to an effective rebranding in 2018, under the brand Whale Global Luxembourg, a subsidiary of Alibaba that took over some of ZTE’s activities at the time of its troubles with the Americans.

France, for its part, passed an anti-Huawei law in 2019... which is applied with variable geometry, concluded . Bayrou preferred to talk about authorisations instead of answering a question about the dismantling of Huawei’s equipment (3,000 antennas for Bouygues and 8,000 for SFR). Probably because dismantling has a cost, especially in a very tight economic climate, with Ericsson and Nokia being notoriously more expensive, and the French state does not want to take on any technological change.

The Spaniards on the razor’s edge

Among the most ambiguous, the Spaniards probably take the cake: in 2022, the government passed a law that was supposed to eliminate suppliers deemed to be at risk... but the blacklist of these at-risk suppliers still doesn’t exist; only a 2023 order formally excluded Huawei from rural 5G. Better still, this week we learn that prime minister Pedro Sanchez’s government has entrusted Huawei with the storage of National Guard data, albeit in a disconnected data centre, so officially out of the reach of the Chinese... apart from software updates.

For Luxembourg, never stingy in boasting of its commitment to a form of sovereignty, the question is how to continue down this path if a small piece of code is enough to wreck everything...

This article was originally published in .

Related articles