The Belgian Federal Prosecutor’s Office has initiated an inquiry into a data breach at the State Security Service (VSSE), allegedly perpetrated by Chinese hackers. Reports indicate that the cybercriminals accessed the VSSE’s external email server between 2021 and May 2023, intercepting approximately 10% of all electronic correspondence sent and received by agency personnel.
The compromised server was used for communication with the Prosecutor’s Office, government ministries, law enforcement agencies, and other state institutions. In addition, internal human resources discussions also took place via this server, potentially exposing employees’ and applicants’ personal data, including their resumes and identity documents.
The first alert regarding the attack surfaced in 2023, when Belgian media reported a cyber incident coinciding with the disclosure of a vulnerability in Barracuda products. Following this revelation, the VSSE ceased using the company’s solutions and advised staff to replace their documents to mitigate identity theft risks.
According to anonymous sources, there is no current indication that the stolen data has appeared on the dark web or been exploited for extortion. VSSE security experts continue to monitor hacker forums and online marketplaces in the hidden corners of the internet, searching for any sign of the breach. The situation is exacerbated by the fact that the hack occurred precisely when the organization was in the midst of a major recruitment drive.
The VSSE has refrained from commenting further, confirming only that an official complaint has been filed in connection with the incident. Meanwhile, the Belgian Federal Prosecutor’s Office stated that the investigation began in November 2023 but considered it premature to draw any conclusions. The Chinese Embassy in Belgium dismissed the allegations, asserting that Belgian authorities have not presented compelling evidence.
It is believed that the attack on the VSSE server was executed by exploiting a zero-day vulnerability in the Barracuda Email Security Gateway (ESG). In 2023, Mandiant experts attributed targeted assaults leveraging this flaw to UNC4841, a group reportedly acting on behalf of the Chinese government. In December 2023, Barracuda announced another zero-day in ESG that UNC4841 utilized for a second wave of intrusions. The issue was swiftly resolved through the release of patch BNSF-36456.
