Belgium investigating possible Chinese cyber attack on spy service

Belgium's federal prosecutor's office is actively investigating a significant security breach within the country's State Security Service (VSSE), potentially orchestrated by Chinese hackers. Between 2021 and May 2023, these state-sponsored attackers allegedly infiltrated the VSSE's external email server, compromising approximately 10% of all emails exchanged by agency personnel.

The compromised server facilitated communications between the VSSE and various entities, including public prosecutors, government ministries, law enforcement agencies, and other Belgian public administration bodies. Notably, the server also managed internal human resources exchanges among intelligence personnel, raising concerns about the potential exposure of sensitive personal information, such as identity documents and resumes of nearly half of the VSSE's current staff and past applicants.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Belgian authorities are also investigating whether the breach could be linked to vulnerabilities in Barracuda Email Security Gateway (ESG), which has been exploited in previous cyber-espionage campaigns. In 2023, Barracuda disclosed multiple critical vulnerabilities, including CVE-2023-2868, which Chinese state-sponsored groups have actively exploited to infiltrate government and private sector organizations worldwide. However, Barracuda has publicly denied any direct connection between these vulnerabilities and the Belgian intelligence breach. Despite this denial, Belgian officials ceased using Barracuda's services and are continuing to analyze whether unpatched ESG flaws may have played a role in the compromise.

Local media reports first highlighted the breach in 2023, coinciding with Barracuda's disclosure of a vulnerability. In response, the Belgian intelligence service ceased utilizing Barracuda as a cybersecurity provider and advised affected staff to renew identification documents to mitigate the risk of identity fraud. Despite these measures, there is currently no evidence indicating that the stolen data has been exploited for malicious purposes.

Source: Bleeping Computer

Analysis

The breach of VSSE has severe consequences for intelligence agents whose identities were exposed. Intelligence personnel rely on secrecy and anonymity to conduct covert operations, especially in counterintelligence and foreign espionage. With their personal details, including identity documents and employment records, now potentially in the hands of a Chinese Intelligence, these agents will likely face long-term operational risks.

One of the biggest concerns is that these agents are now effectively "burned" and can no longer work covertly on China-related intelligence files. Chinese intelligence services could track, monitor, or flag them, making it impossible for them to conduct undercover work. Any future attempts to infiltrate Chinese intelligence networks or monitor espionage activities would be significantly compromised, as China now has a list of personnel to watch for.

Beyond operational concerns, there is also a serious counterintelligence threat. Chinese intelligence agencies could use the stolen data for targeting, surveillance, harassment, or even blackmail. If exposed agents travel to countries where China has a strong intelligence presence, they could be subjected to coercion, intimidation, or recruitment attempts. Additionally, there’s a risk of identity fraud and disinformation, where adversaries could impersonate VSSE agents online to spread false information or disrupt Belgian intelligence operations.

To mitigate the damage, the VSSE will likely have to reassign exposed personnel to non-operational roles, such as analytical, training, or policy-focused positions. Some agents may even need to leave the service entirely if their exposure is deemed too severe. This breach is a major setback for Belgian intelligence, as rebuilding covert networks, recruiting and training new operatives, and restoring security confidence will take years.

As bad as this breach is, one small silver lining is that the VSSE’s operational database, which contains highly classified intelligence and the identities of confidential sources, was not compromised. If attackers had gained access to this database, the damage would have been far worse, potentially exposing Belgium’s covert assets, foreign intelligence-sharing agreements, and ongoing espionage operations. The leak of agent identities is still a serious setback, but losing the names of human sources (HUMINT operatives) could have led to immediate arrests, disappearances, or even executions in hostile environments. While the breach weakens Belgium’s intelligence capabilities, the fact that critical operational data remains secure prevents this from becoming an all-out intelligence disaster.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from Chinese state-sponsored cyber actors. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Related Articles

• FBI warns Barracuda patch not effective, recommends replacement
• Novel ‘Submarine’ malware discovered in compromised U.S. government Barracuda appliances
• Barracuda zero-day attacks attributed to Chinese cyberespionage group UNC4841