China-linked Threat Actors Stole 10% of Belgian State Security Service's Staff Emails

The Belgian federal prosecutor's office is probing a possible security breach on its State Security Service (VSSE) by China-linked threat actors. The attackers gained access to the VSSE's email server between 2021 and May 2023, stealing 10% of staff incoming and outgoing emails.

According to reports, Chinese hackers exploited a vulnerability in the Barracuda Barracuda Email Security Gateway Appliance (ESG) Vulnerability, tracked as CVE-2023-2868. This vulnerability was discovered on May 19, and the company fixed it with the release of two security patches on May 20 and 21.

The issue could have a significant impact because the impacted ESG appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses. The attackers gained access to VSSE HR's data, including IDs and CVs of staff and applicants. However, no stolen VSSE data has surfaced on the dark web.

Belgium dropped Barracuda after its 2023 vulnerability disclosure, following a major recruitment drive following the previous government's decision to almost double their workforce. An anonymous intelligence source told Le Soir that "we thought we had bought a bulletproof vest, only to find a gaping hole in it."

The Attackers' Tactics

Mandiant researchers reported that China-linked threat actors breached government organizations worldwide with attacks exploiting Barracuda ESG zero-day. In June, Mandiant linked the threat actor UNC4841 to the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.

UNC4841 was identified as a suspected China-nexus actor, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage. The attackers deployed malware on a subset of appliances, allowing for persistent backdoor access. They also used spear-phishing emails with weaponized attachments crafted to exploit the flaw CVE-2023-2868.

Most of the attacks observed by Mandiant targeted the Americas (55%), followed by EMEA (24%), and APAC (22%). Almost one out of three affected organizations were government agencies, suggesting that the attacks were carried out as part of a cyber espionage campaign.

The Investigation Continues

At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability. The Belgian embassy in China has yet to respond to the accusation.

The timing of the attack was especially unfortunate, as the attackers gained access during a major recruitment drive following the previous government's decision to almost double their workforce. This highlights the importance of cybersecurity for organizations, particularly those handling sensitive information.

As the investigation continues, it is essential to note that no stolen VSSE data has surfaced on the dark web. However, the attack demonstrates the potential risks and consequences of unpatched vulnerabilities in email security systems.