For nearly two years, a cyber-espionage operation linked to China's intelligence services exploited a vulnerability in an American cybersecurity firm's software, intercepting approximately 10% of all incoming and outgoing emails from Belgium’s State Security Service (VSSE), an investigation by Le Soir has revealed.
The breach is the most severe in the VSSE’s history. While classified information remains unaffected, personal data belonging to nearly half of the VSSE’s staff members may have been compromised, researchers believe.
The breach was first reported in 2023 by Knack and Datanews. The VSSE, alongside the Belgian Pipeline Organisation, a military body overseeing North Sea pipelines, had relied on cybersecurity solutions from American firm Barracuda. That same year, Barracuda revealed a vulnerability in its Email Security Gateway Appliance, a firewall designed to protect email communications. This service had been exploited by state-backed Chinese hackers.
Personal data breached
According to information obtained by Le Soir, this vulnerability enabled the hackers to infiltrate the VSSE’s external email server between 2021 and May 2023. Only the agency’s external server was affected, meaning classified internal communications were not directly exposed.
The external server is used exclusively for exchanges with outside entities, including public prosecutors, law enforcement, government ministries, and other public administration bodies. However, internal HR-related exchanges between intelligence personnel were also routed through this compromised system, raising concerns that sensitive personal data, such as identity documents or CVs, might have been exposed.
Surveillance cameras in Beijing, China, Friday 12 January 2024. Credit: Belga / Benoit Doppagne
While an internal VSSE investigation has confirmed that 10% of total data volumes were siphoned off during the breach, the agency has not been able to determine which emails were compromised. A significant concern is that over the two-year period, nearly half of the intelligence service’s current staff , along with past applicants, transmitted personal information via the external server, primarily in communication with the HR department.
“The timing of the attack was especially unfortunate, as we were in the midst of a major recruitment drive following the previous government’s decision to almost double our workforce,” one intelligence source told Le Soir. New recruits, some still undergoing security clearance, may be among those whose personal data has been exposed.
“We thought we had bought a bulletproof vest, only to find a gaping hole in it,” the source added.
Investigation underway
The VSSE has remained tight-lipped on the matter, stating only that a formal complaint has been filed. The Federal Prosecutor’s Office confirmed that a judicial investigation was launched in November 2023, though officials stress it is too early to draw conclusions.
The case has also been referred to the R Committee, which oversees Belgium’s intelligence services. Committee Chair Vanessa Samain confirmed the VSSE reported the breach in June 2023. However, the committee’s findings and recommendations remain classified and were shared only with the intelligence agency and the Minister of Justice in April.
While the exact recommendations of the report remain undisclosed, intelligence sources consulted by Le Soir indicate the VSSE has already implemented reforms in response to the breach. Barracuda is no longer used as the security service's cybersecurity provider and affected staff have been advised to renew their personal identification documents, including identity cards and driving licences, to mitigate potential identity fraud risks.
Credit: Belga/ Eric Lalmand
Despite the sensitivity of the breach and the potential profits that could be generated from the sale of this data, there is no evidence that stolen data has surfaced on the dark web, where cybercriminals frequently post or auction off compromised information. Since 2023, the VSSE has tasked its internal security division with ongoing surveillance of dark web marketplaces for signs of leaked intelligence.
To date, no ransom demands have been made, and it remains unclear whether the hackers specifically targeted the VSSE or if it was merely collateral damage in a broader espionage campaign. Union representatives for intelligence officers declined to comment on the matter, citing the classified nature of the case.
Related News
- Belgian first: Russian couple faces trial in Belgium for cyberattacks
- Cyberattack puts Brussels Muntpunt library out of action
- Port of Ostend targeted by cyberattack
This is not the first time the Belgian State has been targeted by cybercriminals associated with the Chinese government. In 2021, several Belgian federal ministries fell victim to a slew of cyberattacks, bringing down the Defence Ministry's communication ministry and forcing officials to communicate over unsecured networks like WhatsApp. This attack cost the Belgian state €2.25 million in direct costs.
A US investigation in early 2024 concluded that dozens of European politicians, including several in Belgium, had their devices compromised by the Chinese state-affiliated APT 31 group in March 2023. Hackers accessed IP addresses, location data and other sensitive data, which was then exfiltrated to China.
