**Belgium Probes if Chinese Hackers Breached Its Intelligence Service**

The Belgian federal prosecutor's office is investigating whether Chinese hackers were behind a breach of the country's State Security Service (VSSE), raising concerns about potential national security risks. The alleged breach, which occurred between 2021 and May 2023, saw Chinese state-backed attackers gain access to VSSE's external email server, compromising around 10% of all emails sent and received by the agency's staff.

The compromised server was used for exchanging emails with public prosecutors, government ministries, law enforcement, and other public Belgian administration bodies. However, it also routed internal HR exchanges among Belgian intelligence personnel, raising concerns about the potential exposure of sensitive personal data, including identity documents and CVs belonging to nearly half of the VSSE's current staff and past applicants.

Belgian local media first reported an attack on the VSSE in 2023, coinciding with Barracuda's vulnerability disclosure. Following this, the Belgian intelligence service stopped using Barracuda as a cybersecurity provider and advised affected staff to renew identification documents to mitigate the risk of identity fraud.

However, there is currently no evidence of stolen data appearing on the dark web or ransom demands. Anonymous sources indicate that VSSE's security team monitors dark web hacking forums and marketplaces for leaked information. "The timing of the attack was especially unfortunate, as we were in the midst of a major recruitment drive following the previous government's decision to almost double our workforce," an anonymous intelligence source told Le Soir. "We thought we had bought a bulletproof vest, only to find a gaping hole in it."

The VSSE has remained silent on the issue, only noting that a formal complaint was submitted. However, the federal prosecutor's office confirmed that a judicial investigation started in November 2023 but stressed that it's too early to draw any conclusions.

This isn't the first time Chinese state hackers targeted Belgium. In July 2022, the country's Minister for Foreign Affairs said that the APT27, APT30, APT31, and Gallium (aka Softcell and UNSC 2814) Chinese state-backed threat groups attacked Belgium's defense and interior ministries. The Chinese Embassy in Belgium denied the accusations, pointing to a lack of evidence to sustain the Belgian government's claims.

**The Breach Linked to Barracuda ESG Zero-Day**

The breach linked to Barracuda's Email Security Gateway (ESG) appliance appears to have been caused by a zero-day vulnerability. In May 2023, Barracuda warned that attackers had been using custom-tailored Saltwater, SeaSpy, Sandbar, and SeaSide malware in data-theft attacks since at least October 2022. Subsequently, CISA revealed that it found new Submarine (aka DepthCharge) and Whirlpool malware used to backdoor Barracuda ESG appliances on U.S. federal agencies' networks.

Mandiant linked the attacks to UNC4841, a hacking group known for cyber espionage attacks in support of the People's Republic of China. The company also found that the suspected Chinese hackers disproportionately targeted and breached government and government-linked organizations worldwide in these attacks.

**Update: Barracuda Responds to Allegations**

In December 2023, Barracuda warned of another ESG zero-day vulnerability exploited in a second wave of attacks by the UNC4841 Chinese hackers. The company later clarified that exploitation of the vulnerability impacting less than five percent of Email Security Gateway appliances took place in 2023 – not 2021. Barracuda promptly remediated the issue, which was fixed as part of the BNSF-36456 patch and applied to all customer appliances.

As the investigation into the VSSE breach continues, Belgian authorities are left to wonder if they have been vulnerable to Chinese state-backed attacks for an extended period. The incident highlights the importance of cybersecurity awareness and the need for government agencies to stay vigilant in the face of sophisticated cyber threats.