Belgian authorities have launched an investigation into a major cybersecurity breach at the State Security Service (VSSE), where Chinese hackers accessed and stole approximately 10% of staff emails over a two-year period.
According to Belgium's federal prosecutor's office, the unauthorized access occurred between 2021 and May 2023, when hackers exploited a vulnerability in Barracuda's Email Security Gateway system used by the intelligence agency.
While classified information remained secure, the breach exposed sensitive human resources data, including identification documents and resumes of both current staff and job applicants. The timing proved particularly problematic as VSSE was amid a major recruitment drive to double its workforce.
"We thought we had bought a bulletproof vest, only to find a gaping hole in it," an unnamed intelligence source told Belgian news outlet Le Soir.
The hackers gained entry through a security flaw known as CVE-2023-2868 in Barracuda's email screening module. This same vulnerability impacted other critical Belgian infrastructure, including systems monitoring North Sea pipelines.
Security firm Mandiant has linked the attacks to UNC4841, a threat group working to advance Chinese espionage interests. The attackers deployed sophisticated malware tools to maintain persistent access to compromised systems.
Belgian authorities discontinued use of Barracuda's services after the vulnerability became public in 2023. To date, none of the stolen VSSE data has appeared on dark web marketplaces.
The Chinese embassy in Belgium has not yet responded to the allegations. The investigation by Belgian federal prosecutors remains ongoing as authorities work to determine the full scope of the breach.