Belgium probes if Chinese hackers breached its intelligence service

​The Belgian federal prosecutor's office is investigating whether Chinese hackers were behind a breach of the country's State Security Service (VSSE).

Chinese state-backed attackers reportedly gained access to VSSE's external email server between 2021 and May 2023, siphoning around 10% of all emails sent and received by the agency's staff.

The compromised server was only used for exchanging emails with public prosecutors, government ministries, law enforcement, and other public Belgian administration bodies, as Belgian news outlet Le Soir reported on Wednesday

According to The Brussels Times, the hacked server also routed internal HR exchanges among Belgian intelligence personnel, raising concerns about the potential exposure of sensitive personal data including identity documents and CVs belonging to nearly half of the VSSE's current staff and past applicants.

Belgian local media first reported an attack on the VSSE in 2023, coinciding with Barracuda's vulnerability disclosure. Following this, the Belgian intelligence service stopped using Barracuda as a cybersecurity provider and advised affected staff to renew identification documents to mitigate the risk of identity fraud.

However, there is currently no evidence of stolen data appearing on the dark web or ransom demands, and anonymous sources indicate that VSSE's security team monitors dark web hacking forums and marketplaces for leaked information.

"The timing of the attack was especially unfortunate, as we were in the midst of a major recruitment drive following the previous government's decision to almost double our workforce," an anonymous intelligence source told Le Soir. "We thought we had bought a bulletproof vest, only to find a gaping hole in it."

The VSSE has remained silent on the issue, only noting that a formal complaint was submitted, per Brussels Times's report. At the same time, the federal prosecutor's office confirmed that a judicial investigation started in November 2023 but stressed that it's too early to draw any conclusions.

This isn't the first time Chinese state hackers targeted Belgium. In July 2022, the country's Minister for Foreign Affairs said that the APT27, APT30, APT31, and Gallium (aka Softcell and UNSC 2814) Chinese state-backed threat groups attacked Belgium's defense and interior ministries.

The Chinese Embassy in Belgium denied the accusations and pointed to a lack of evidence to sustain the Belgian government's claims.

"It is extremely unserious and irresponsible of the Belgian side to issue a statement about the so-called 'malicious cyberattacks' by Chinese hackers without any evidence," the Chinese embassy spokesperson said.

Breach linked to Barracuda ESG zero-day

VSSE's server was likely breached using a zero-day vulnerability in Barracuda's Email Security Gateway (ESG) appliance.

In May 2023, Barracuda warned that attackers had been using custom-tailored Saltwater, SeaSpy, Sandbar, and SeaSide malware in data-theft attacks since at least October 2022, urging customers to immediately replace compromised appliances.

Subsequently, CISA revealed that it found new Submarine (aka DepthCharge) and Whirlpool malware used to backdoor Barracuda ESG appliances on U.S. federal agencies' networks.

At the same time, cybersecurity company Mandiant linked the attacks to UNC4841, a hacking group known for cyber espionage attacks in support of the People's Republic of China.

Mandiant also found that the suspected Chinese hackers disproportionately targeted and breached government and government-linked organizations worldwide in these attacks.

In December 2023, Barracuda warned of another ESG zero-day vulnerability exploited in a second wave of attacks by the UNC4841 Chinese hackers.

Update February 27, 15:08 EST: A Barracuda spokesperson shared the following statement after publishing time:

"Exploitation of the vulnerability impacting less than five percent of Email Security Gateway appliances took place in 2023 – not 2021. Our investigation data confirms that the vulnerability was not exploited in 2021. 

Barracuda promptly remediated the issue, which was fixed as part of the BNSF-36456 patch and applied to all customer appliances. A detailed timeline of updates can be found here."

CONCLUSION

The latest in a series of cases showing intrusions by Chinese state-backed hacking groups into the security infrastructure of Western countries. Over the past few years, such hacking attacks have occurred throughout Europe, the United States, and Asian countries. Countries that use IT equipment manufactured by Chinese companies have been particularly affected. All this has resulted in a significant number of Western countries deciding to eliminate equipment from Chinese manufacturers used in security operations.

However, even when Chinese equipment and software are not used, Chinese state-backed hackers are targeting security agencies and government institutions in Western countries. Western security services have repeatedly issued warnings to pay attention to the activities of Chinese hacking groups.

In the Western Balkan countries, on the other hand, the use of equipment from Chinese companies for security purposes is very common. Such warnings are almost ignored. The only ones who warn about it are the media and non-governmental organizations. However, authorities continue to procure equipment from Chinese companies for security operations, even when those companies are under sanctions.