A hack of a Belgian intelligence service external email server may have been the work of Chinese hackers based on similarities with other breaches perpetrated by state-backed APT group UNC4841, prior attacks on Belgium by other known APT groups and the exploitation of the Barracuda email security vulnerability first discovered about two years ago.
Though the Belgian media is reporting that the compromised server was only used for non-classified correspondence, the Chinese hackers were able to dwell for at least several months in 2023 and captured about 5% to 10% of all of the emails sent by the State Security Service (VSSE) during that time. Belgium has previously accused Chinese hackers of targeting its defense and interior ministries, though China denies all of these claims.
Long-term breach by Chinese hackers involved substantial theft of VSSE emails
The Belgian federal prosecutor’s office has not yet formally named Chinese hackers as the culprits, but they are the prime suspects according to national media reports. The attackers may have had access to the VSSE external email server for at least several months in 2023, capturing some percentage of the emails that the intelligence service’s staff sent and received. Early reports put this at 10%, but a follow-up statement from VSSE indicates that the intelligence service believes that it was only 5%.
The email server reportedly was not used for secret and classified items, but did handle communications between the intelligence service and assorted other government and local agencies. The Chinese hackers would have had access to exchanges with local law enforcement and public administration, public prosecutors, and assorted government ministries. The most troubling aspect is that the server also handled email exchanges with the intelligence service’s internal HR department, which means the threat actors may have had access to sensitive personal information for a large amount of present VSSE staff and prior job applicants.
Intelligence service breach attribution based on prior activity
In part, Chinese hackers are being blamed as there has been a pattern of APT groups targeting the country’s government agencies since at least 2022. In July of that year the Belgian Minister for Foreign Affairs named several specific Chinese teams as having targeted the country’s interior and defense ministries. There has also not yet been a known appearance of stolen VSSE information on the dark web, despite the attack on the intelligence service now being over two years old.
The current breach likely traces back to a zero-day vulnerability in managed cybersecurity service provider Barracuda’s email security gateway appliances, one that a number of cybersecurity services have traced to attacks by Chinese hackers on government agencies all over the world. That vulnerability was patched in May 2023, but was initially reported as having been exploited in other places since at least October 2022. The intelligence service dropped Barracuda as a provider after the vulnerability was disclosed.
Though a usable patch was issued, Barracuda issued follow-up guidance in June 2023 advising customers to fully replace any previously impacted ESG devices and to rotate credentials. It remains unclear if the intelligence service was compromised by some other means prior to 2023 or if the Barracuda vulnerability was being exploited by Chinese hackers for longer than previously known. Barracuda has issued a statement indicating that their internal investigation indicates the vulnerability was not exploited in 2021, contrary to some earlier media reports.
Chinese hackers have been making headlines for rampaging through United States telecoms and internet service providers, but the APT teams have also been very active in other parts of the world as of late. A recent ESET report indicates that a Chinese group previously known to stick to targets in Japan has expanded its activities to the EU, running spearphishing campaigns on government agencies and defense contractors and making use of legitimate VPN services to cover their tracks. Some researchers also believe that Chinese hackers are showing an increasing interest in targeting Russian government agencies, in spite of a seeming increased coziness between the two nations in recent years.
A 2024 campaign was also uncovered that links Chinese hackers to breaches of European healthcare organizations by targeting a Check Point security software vulnerability. That campaign involved ransomware, raising questions about whether a Chinese intelligence service was involved or it was one of the civilian hacking teams that they contract some of their espionage work out to. Salt Typhoon, the boogeyman group responsible for the recent campaign in the US, has also been observed targeting numerous other countries Though the group apparently expends the majority of its effort targeting the US, it has spread its activity throughout over 100 countries and has also put some substantial time into breaching targets in India and South America.
