Cybersecurity
Malware breached Luxembourg's state device system for weeks
A memory-resident program sat undetected for almost a month on the platform managing the government's phones and tablets, reaching officials' contact details — but no citizen data, officials say.
By Marc Weber · · 4 min read

A piece of malware lodged itself for almost a month inside the system Luxembourg uses to manage its government smartphones and tablets, giving an outside attacker access to a register of roughly 4,850 state-issued devices and to the names, work telephone numbers and professional email addresses of the officials who carry them, the government has confirmed.
The breach centred on the State Information Technology Centre — the Centre des technologies de l'information de l'État, or CTIE — which runs the Grand Duchy's public-sector IT. It did not reach the content stored on the devices themselves, and no citizen data was involved, according to Luxembourg's Ministry for Digitalisation and the country's national cyber-protection authorities.
A quiet intrusion, detected late
The malware was the “memory-resident” kind — a program that installs a copy of itself in a device's RAM rather than on disk, which makes it considerably harder to spot. According to Minister for Digitalisation Stéphanie Obertin, the platform that enrols and manages the state's mobile fleet was infected at the end of January, in the hours before the software's vendor pushed out its latest update. It was not flagged until the evening of Thursday 26 February, meaning it sat on the network for the better part of a month.
Crucially for the public, the compromise stopped at the management layer. The attacker reached the inventory of devices and the directory of who holds them, but not what is on the handsets. The minister was explicit that the on-device content was spared.
“The data stored directly on the phones or tablets, such as messages, the calendar or photos, were not affected by the incident,” Stéphanie Obertin told parliament.
When the malware was found, the CTIE isolated the affected platform as a precaution. That step cut mobile access to internal state services — email and calendars among them — leaving public servants to fall back on their desktop computers. Devices managed separately for the education sector, run by the CGIE, were not caught up in the incident.
What was exposed — and what was not
The government's account, set out in a 6 March status note and in Obertin's later written reply to lawmakers, draws a careful line around the damage. The information accessed was administrative rather than personal-in-the-sensitive-sense: a roster of equipment and the professional contact details attached to it.
- The list of roughly 4,850 smartphones and tablets managed by the CTIE, with their technical characteristics;
- The names of the officials issued those devices;
- Their professional telephone numbers and work email addresses.
What was not touched, officials stress, is anything belonging to the wider public. “No information relating to citizens is concerned,” the government said in its 6 March communiqué. As a precaution, every affected device was rebuilt, and the data-protection regulator, the CNPD, received a preliminary notification on 27 February.
The minister also sought to play down disruption to the machinery of state, insisting the interruption was confined to mobile access.
“The State's services remained permanently accessible and fully operational, both via the computers — with which every official is equipped by default — and via phones thanks to a web interface,” Obertin said.
How the government responded
The incident climbed quickly up the chain of command. After fresh findings emerged, the national cyber risk-assessment cell met on the evening of 5 March; the next day the prime minister convened experts and briefed the Council of Government. The compromised server was isolated and a replacement deployed, while technical analysis was carried out jointly by the CTIE and GovCERT.lu, the government's computer emergency response team. The authorities said the unauthorised access had been contained within a few hours of detection and remained limited to the device register.
Officials have not publicly attributed the attack, and the investigation remains open. Notably, this was not a phishing campaign of the sort that routinely impersonates Luxembourg banks or the social-security funds: the entry point was the third-party device-management software itself, infected around the time of a vendor update, rather than a tricked employee.
A continent under sustained pressure
The episode is a pointed test of Luxembourg's reputation as a digital-first state, and it fits a broader European trend. In its Threat Landscape 2025 report, the EU cybersecurity agency ENISA found that public administration had become the bloc's single most-targeted sector, accounting for 38% of the 4,875 incidents it logged between July 2024 and June 2025. For state-sponsored operations specifically, government was again the top target, with Russia-linked actors behind 39% of those intrusions, India-linked groups 31.7% and China-linked groups 24.4%.
Luxembourg has already felt that pressure. In the spring of 2024, a two-week wave of distributed denial-of-service attacks — claimed by pro-Russian groups — hit the finance and justice ministries, the STATEC statistics agency and the CNS health fund. In January 2025, a further DDoS burst briefly knocked out the MyGuichet citizen portal and the LuxTrust authentication service.
Against that backdrop, the CTIE breach is less an isolated shock than a marker of the new normal for European governments: persistent, often stealthy, and aimed squarely at the systems that hold the state together. For now, Luxembourg's message is that the perimeter held where it mattered most — the data of its 670,000 residents — even as the attackers got inside the door.
Frequently asked
- Was this a phishing attack?
- No. Officials say the malware infected the CTIE's mobile-device-management software around late January, in the hours before the vendor's latest update; the government has not described a phishing vector or a tricked employee.
- Was citizens' personal data compromised?
- No. The government says only an internal device register and officials' professional contact details were exposed. No citizen data was involved, and the content stored on the devices — messages, calendar and photos — was not accessed.
- Did government services go down?
- Mobile access to internal services was cut as a precaution, but services stayed available via officials' computers and a phone web interface, Minister Stéphanie Obertin told parliament.
Sources(10)
- 1État des lieux suite à l'incident affectant les appareils portables de l'ÉtatLe gouvernement luxembourgeois (gouvernement.lu) · gouvernement.lu
- 24.850 appareils mobiles de l'État touchés par un logiciel malveillantPaperjam · paperjam.lu
- 3Les données informatiques de l'État compromises lors d'une cyberattaquePaperjam · paperjam.lu
- 4On en sait plus sur le logiciel malveillant qui a perturbé les services de l'ÉtatLe Quotidien · lequotidien.lu
- 5Cyberattaque sur 4 850 appareils publics du CTIE: des données exposées, mais pas de messagesLes Frontaliers · lesfrontaliers.lu
- 6Luxembourg: Un logiciel malveillant perturbe les appareils mobiles de l'ÉtatL'essentiel · lessentiel.lu
- 7Luxembourg government mobiles cut off after malware alertDelano · delano.lu
- 8ENISA Threat Landscape 2025European Union Agency for Cybersecurity (ENISA) · enisa.europa.eu
- 9ENISA 2025 Threat Landscape report highlights EU faces escalating hacktivist attacks and state-aligned cyber threatsIndustrial Cyber · industrialcyber.co
- 10Stéphanie ObertinWikipedia · en.wikipedia.org


