Chinese hackers breach Belgium’s top security agency, stealing sensitive data in a major cyber espionage attack

Continue reading
Belgium’s State Security Service (VSSE) has fallen victim to a sophisticated cyberattack allegedly orchestrated by state-backed Chinese hackers. The breach, which went undetected for nearly two years, raises alarming questions about the vulnerabilities in critical government infrastructure and the increasing use of cyber tools for espionage.
In a chilling revelation, Belgian authorities have confirmed that the country’s State Security Service (VSSE) was compromised by a cyber espionage campaign that reportedly targeted sensitive government communications. Between 2021 and May 2023, hackers believed to be state-sponsored by China exploited a zero-day vulnerability in Barracuda Networks’ Email Security Gateway (ESG) appliances, gaining access to an external email server used by the VSSE.
The breach, which allowed attackers to siphon off around 10% of all incoming and outgoing emails, is being investigated by the Belgian federal prosecutor’s office. The stolen communications reportedly included sensitive information exchanged with public prosecutors, government ministries, and law enforcement bodies—potentially exposing personal data and compromising national security.
The cyberattack doesn’t merely underscore the rising threat of state-backed hackers, with the Chinese government being implicated in similar breaches in recent years. The timing of the attack is especially concerning, as it coincided with a significant recruitment drive at the VSSE, increasing the likelihood of exposure of personal data of nearly half of the agency’s current and past staff.
At the core of the attack was a 'zero-day vulnerability' in Barracuda’s Email Security Gateway (ESG), a widely used appliance for securing email communications within government agencies globally. This term refers to a security flaw that is unknown to the software vendor and, therefore, has no fix or patch available. The attackers exploited this to deploy custom-tailored malware—specifically, Saltwater, SeaSpy, Sandbar, and SeaSide—enabling data theft and undetected access to the targeted systems.
One of the most troubling aspects of the VSSE breach is the potential exposure of highly sensitive personal and professional data. The email server routed internal human resources communications, including identity documents and CVs of the VSSE’s current personnel, past applicants, and contractors.
With nearly half of the VSSE’s workforce potentially affected, the exposure of such sensitive information could be disastrous for individuals. Identity fraud, phishing attacks, and other forms of social engineering are now likely risks for those impacted. In response to the breach, the VSSE advised affected personnel to renew their identification documents to minimise identity theft risk.
As expected, the Chinese government has denied any involvement in the breach. The Chinese Embassy in Belgium has labeled the accusations as “extremely unserious and irresponsible,” pointing to the absence of definitive evidence linking the cyberattack to Chinese state-backed hackers.
This denial is consistent with previous responses from China, which has repeatedly rejected claims of cyber espionage despite mounting evidence of state-sponsored activities. Notably, China has a long history of engaging in cyber espionage, with several APT (Advanced Persistent Threat) groups—such as APT27, APT30, APT31, and Gallium—linked to similar attacks on government agencies, including Belgium’s defense and interior ministries in 2022.
For Belgium, this breach is part of a broader trend of increasing cyber espionage targeting European governments. With tensions between China and the West rising, this breach only deepens concerns over the use of cyberspace for intelligence gathering and political maneuvering.
In the immediate aftermath of the breach, the VSSE halted its use of Barracuda as a cybersecurity provider. The agency also took steps to mitigate the potential fallout by advising affected staff to update their identification documents, but the full scope of the attack is still being assessed.
The Belgian government has also urged organisations worldwide to reassess the security of their email infrastructure, particularly those relying on Barracuda ESG appliances, which many government agencies still use.
Belgium’s cybersecurity efforts are being supported by international cybersecurity agencies, such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and private cybersecurity firms, including Mandiant, which have traced the attack to UNC4841, a hacking group known for its ties to Chinese cyber espionage efforts.
An attack on Belgium’s intelligence service underscores the vulnerability of even the most well-secured agencies to sophisticated, state-backed adversaries as cyber threats continue to evolve. The lesson for governments and businesses alike is clear: cybersecurity is no longer an optional investment but a critical necessity.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation