The Belgian federal prosecutor’s office is investigating whether Chinese hackers were behind a breach of the country’s State Security Service (VSSE).
Chinese state-backed attackers reportedly gained access to VSSE’s external email server between 2021 and May 2023, siphoning around 10% of all emails sent and received by the agency’s staff.
The compromised server was only used for exchanging emails with public prosecutors, government ministries, law enforcement, and other public Belgian administration bodies, as Belgian news outlet Le Soir reported on Wednesday.
According to The Brussels Times, the hacked server also routed internal HR exchanges among Belgian intelligence personnel, raising concerns about the potential exposure of sensitive personal data including identity documents and CVs belonging to nearly half of the VSSE’s current staff and past applicants.
Belgian local media first reported an attack on the VSSE in 2023, coinciding with Barracuda’s vulnerability disclosure. Following this, the Belgian intelligence service stopped using Barracuda as a cybersecurity provider and advised affected staff to renew identification documents to mitigate the risk of identity fraud.
However, there is currently no evidence of stolen data appearing on the dark web or ransom demands, and anonymous sources indicate that VSSE’s security team monitors dark web hacking forums and marketplaces for leaked information.
“The timing of the attack was especially unfortunate, as we were in the midst of a major recruitment drive following the previous government’s decision to almost double our workforce,” an anonymous intelligence source told Le Soir. “We thought we had bought a bulletproof vest, only to find a gaping hole in it.”
The VSSE has remained silent on the issue, only noting that a formal complaint was submitted, per Brussels Times’s report. At the same time, the federal prosecutor’s office confirmed that a judicial investigation started in November 2023 but stressed that it’s too early to draw any conclusions.
This isn’t the first time Chinese state hackers targeted Belgium. In July 2022, the country’s Minister for Foreign Affairs said that the APT27, APT30, APT31, and Gallium (aka Softcell and UNSC 2814) Chinese state-backed threat groups attacked Belgium’s defense and interior ministries.
The Chinese Embassy in Belgium denied the accusations and pointed to a lack of evidence to sustain the Belgian government’s claims.
“It is extremely unserious and irresponsible of the Belgian side to issue a statement about the so-called ‘malicious cyberattacks’ by Chinese hackers without any evidence,” the Chinese embassy spokesperson said.
Breach linked to Barracuda ESG zero-day
VSSE’s server was likely breached using a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliance.
In May 2023, Barracuda warned that attackers had been using custom-tailored Saltwater, SeaSpy, Sandbar, and SeaSide malware in data-theft attacks since at least October 2022, urging customers to immediately replace compromised appliances.
Subsequently, CISA revealed that it found new Submarine (aka DepthCharge) and Whirlpool malware used to backdoor Barracuda ESG appliances on U.S. federal agencies’ networks.
At the same time, cybersecurity company Mandiant linked the attacks to UNC4841, a hacking group known for cyber espionage attacks in support of the People’s Republic of China.
Mandiant also found that the suspected Chinese hackers disproportionately targeted and breached government and government-linked organizations worldwide in these attacks.
In December 2023, Barracuda warned of another ESG zero-day vulnerability exploited in a second wave of attacks by the UNC4841 Chinese hackers.