VEESE
Chinese hackers breach Belgium’s top security agency, stealing sensitive data in...
**Belgium’s State Security Service (VSSE) has fallen victim to a sophisticated cyberattack allegedly orchestrated by state-backed Chinese hackers. The breach, which went undetected for nearly two years, raises alarming questions about the vulnerabilities in critical government infrastructure and the increasing use of cyber tools for espionage.**
### **A Coordinated Espionage Operation**
In a chilling [revelation](http://www.lesoir.be/657866/article/2025-02-26/des-hackers-chinois-ont-vole-des-donnees-sensibles-la-surete-de-letat), Belgian authorities have confirmed that the country’s State Security Service (VSSE) was compromised by a cyber espionage campaign that reportedly targeted sensitive government communications. Between 2021 and May 2023, hackers believed to be state-sponsored by China exploited a zero-day vulnerability in Barracuda Networks’ Email Security Gateway (ESG) appliances, gaining access to an external email server used by the VSSE.
The breach, which allowed attackers to siphon off around 10% of all incoming and outgoing emails, is being investigated by the Belgian federal prosecutor’s office. The stolen communications reportedly included sensitive information exchanged with public prosecutors, government ministries, and law enforcement bodies—potentially exposing personal data and compromising national security.
The cyberattack doesn’t merely underscore the rising threat of state-backed hackers, with the Chinese government being implicated in similar breaches in recent years. The timing of the attack is especially concerning, as it coincided with a significant recruitment drive at the VSSE, increasing the likelihood of exposure of personal data of nearly half of the agency’s current and past staff.
---
### **Exploitation of Barracuda ESG**
At the core of the attack was a 'zero-day vulnerability' in Barracuda’s Email Security Gateway (ESG), a widely used appliance for securing email communications within government agencies globally. This term refers to a security flaw that is unknown to the software vendor and, therefore, has no fix or patch available. The attackers exploited this to deploy custom-tailored malware—specifically, Saltwater, SeaSpy, Sandbar, and SeaSide—enabling data theft and undetected access to the targeted systems.
#### **Timeline of the Attack:**
- **October 2022**: The hackers, linked to the Chinese cyber espionage group UNC4841, began using the vulnerability to launch attacks targeting Barracuda ESG appliances.
- **May 2023**: Barracuda publicly disclosed the vulnerability after confirming that it had been exploited in real-world attacks. The company advised all its customers to replace the compromised appliances immediately.
- **November 2023**: The Belginerability,aIn a statement, Barracuda Networks clarified that the vulnerability was exploited in 2023 and not as early as 2021, as initially believed. Despite this clarification, the extensive duration of the breach—and its po vulnerability, which was discovered and publicly disclosed in May 2023, potentially compromise sensitive communications over such an extended period—raises significant concerns about the cybersecurity practices employed by government agencies and contractors.
### **Personal and Professional Vulnerabilities Exposed**
One of the most troubling aspects of the VSSE breach is the potential exposure of highly sensitive personal and professional data. The email server routed internal human resources communications, including identity documents and CVs of the VSSE’s current personnel, past applicants, and contractors.
With nearly half of the VSSE’s workforce potentially affected, the exposure of such sensitive information could be disastrous for individuals. Identity fraud, phishing attacks, and other forms of social engineering are now likely risks for those impacted. In response to the breach, the VSSE advised affected personnel to renew their identification documents to minimise identity theft risk.
### **Chinese Denials and Global Concerns**
As expected, the Chinese government has denied any involvement in the breach. The Chinese Embassy in Belgium has labeled the accusations as “extremely unserious and irresponsible,” pointing to the absence of definitive evidence linking the cyberattack to Chinese state-backed hackers.
This denial is consistent with previous responses from China, which has repeatedly rejected claims of cyber espionage despite mounting evidence of state-sponsored activities. Notably, China has a long history of engaging in cyber espionage, with several APT (Advanced Persistent Threat) groups—such as APT27, APT30, APT31, and Gallium—linked to similar attacks on government agencies, including Belgium’s defense and interior ministries in 2022.
For Belgium, this breach is part of a broader trend of increasing cyber espionage targeting European governments. With tensions between China and the West rising, this breach only deepens concerns over the use of cyberspace for intelligence gathering and political maneuvering.
### **How Belgium Is Responding to the Attack**
In the immediate aftermath of the breach, the VSSE halted its use of Barracuda as a cybersecurity provider. The agency also took steps to mitigate the potential fallout by advising affected staff to update their identification documents, but the full scope of the attack is still being assessed.
The Belgian government has also urged organisations worldwide to reassess the security of their email infrastructure, particularly those relying on Barracuda ESG appliances, which many government agencies still use.
Belgium’s cybersecurity efforts are being supported by international cybersecurity agencies, such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and private cybersecurity firms, including Mandiant, which have traced the attack to UNC4841, a hacking group known for its ties to Chinese cyber espionage efforts.
An attack on Belgium’s intelligence service underscores the vulnerability of even the most well-secured agencies to sophisticated, state-backed adversaries as cyber threats continue to evolve. The lesson for governments and businesses alike is clear: cybersecurity is no longer an optional investment but a critical necessity.
