Belgium is investigating an alleged data breach of its state security service (VSSE) by Chinese government hackers.
In a statement sent to TechCrunch on Friday, the Belgian federal prosecutor’s office said an investigation into a cyberattack was opened in November 2023 after it learned about the alleged breach.
This confirms an earlier report by the French-language Belgian newspaper Le Soir, which reported that a Chinese hacking group gained access to the external mail server of the intelligence service between 2021 and 2023.
The unnamed Chinese hacking group reportedly exploited a vulnerability in U.S. cybersecurity firm Barracuda’s software. The critical-rated flaw, which Barracuda first disclosed in May 2023, impacts the firm’s Email Security Gateway (ESG) appliance, a firewall for filtering inbound and outbound emails for potentially malicious content.
Barracuda spokesperson Lesley Sullivan told TechCrunch that “questions regarding any breaches at VSSE are more appropriately directed to VSSE.” VSSE did not respond to TechCrunch’s questions.
Security researchers at U.S. cybersecurity firm Mandiant previously said the vulnerability, which could allow hackers to exfiltrate sensitive corporate data, had been exploited as a zero-day by a China-backed cyberespionage group to target organizations around the world. Almost a third of the target organizations were government agencies, according to Mandiant.
Though a patch was released for the vulnerability, Barracuda in June 2023 urged all affected customers to replace ESG appliances impacted by the vulnerability. It also advised customers to rotate any credentials connected to the appliances and to check for signs of compromise dating back to at least October 2022.
According to Le Soir, China-backed hackers exploited the Barracuda flaw to exfiltrate 10% of the Belgian intelligence service’s incoming and outgoing emails. It notes that while classified information was not affected, the personal data of almost half of VSSE’s employees was accessed, including identity documents, resumes, and internal communications.
VSSE reportedly discontinued its use of Barracuda’s products following the cyberattack, which was first reported by local media in July 2023.
Zack Whittaker contributed reporting.