According to The Brussels Times, the hacked server also routed internal HR exchanges among Belgian intelligence personnel, raising concerns about the potential exposure of sensitive personal data including identity documents and CVs belonging to nearly half of the VSSE's current staff and past applicants. Chinese state-backed attackers reportedly gained access to VSSE's external email server between 2021 and May 2023, siphoning around 10% of all emails sent and received by the agency's staff. The VSSE has remained silent on the issue, only noting that a formal complaint was submitted, per Brussels Times's report. At the same time, the federal prosecutor's office confirmed that a judicial investigation started in November 2023 but stressed that it's too early to draw any conclusions. In December 2023, Barracuda warned of another ESG zero-day vulnerability exploited in a second wave of attacks by the UNC4841 Chinese hackers. The Belgian federal prosecutor's office is investigating whether Chinese hackers were behind a breach of the country's State Security Service (VSSE). In May 2023, Barracuda warned that attackers had been using custom-tailored Saltwater, SeaSpy, Sandbar, and SeaSide malware in data-theft attacks since at least October 2022, urging customers to immediately replace compromised appliances. Following this, the Belgian intelligence service stopped using Barracuda as a cybersecurity provider and advised affected staff to renew identification documents to mitigate the risk of identity fraud. The compromised server was only used for exchanging emails with public prosecutors, government ministries, law enforcement, and other public Belgian administration bodies, as Belgian news outlet Le Soir reported on Wednesday. Belgian local media first reported an attack on the VSSE in 2023, coinciding with Barracuda's vulnerability disclosure. In July 2022, the country's Minister for Foreign Affairs said that the APT27, APT30, APT31, and Gallium (aka Softcell and UNSC 2814) Chinese state-backed threat groups attacked Belgium's defense and interior ministries. "It is extremely unserious and irresponsible of the Belgian side to issue a statement about the so-called 'malicious cyberattacks' by Chinese hackers without any evidence," the Chinese embassy spokesperson said. VSSE's server was likely breached using a zero-day vulnerability in Barracuda's Email Security Gateway (ESG) appliance. The Chinese Embassy in Belgium denied the accusations and pointed to a lack of evidence to sustain the Belgian government's claims. Mandiant also found that the suspected Chinese hackers disproportionately targeted and breached government and government-linked organizations worldwide in these attacks. However, there is currently no evidence of stolen data appearing on the dark web or ransom demands, and anonymous sources indicate that VSSE's security team monitors dark web hacking forums and marketplaces for leaked information. At the same time, cybersecurity company Mandiant linked the attacks to UNC4841, a hacking group known for cyber espionage attacks in support of the People's Republic of China. This isn't the first time Chinese state hackers targeted Belgium. "The timing of the attack was especially unfortunate, as we were in the midst of a major recruitment drive following the previous government's decision to almost double our workforce," an anonymous intelligence source told Le Soir. Subsequently, CISA revealed that it found new Submarine (aka DepthCharge) and Whirlpool malware used to backdoor Barracuda ESG appliances on U.S. federal agencies' networks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 27 Feb 2025 17:00:14 +0000