Belgium’s Spy Agency Hacked: Personal Data Of Agents Compromised

Belgian authorities have launched an investigation into a cyberattack that compromised the country’s intelligence agency, the State Security Service (VSSE), as first reported by Le Soir.

The breach, described as the most severe in the agency’s history, allegedly involved a Chinese espionage group exploiting vulnerabilities in U.S. cybersecurity firm Barracuda’s software.

The Federal Prosecutor’s Office confirmed Wednesday that it received a formal complaint from VSSE over the cyberattack, which reportedly spanned from 2021 to 2023, according to Reuters.

According to Le Soir, the hackers accessed the agency’s external email server, intercepting approximately 10% of VSSE’s incoming and outgoing emails.

The hackers are believed to have obtained correspondence with law enforcement agencies, government ministries, and other institutions. While classified data remained secure, personal information belonging to nearly half of VSSE’s staff may have been compromised.

“We thought we had bought a bulletproof vest, only to find a gaping hole in it,” an intelligence source told Le Soir.

The Brussels Times (BT) explains that the attack targeted a security flaw in Barracuda’s Email Security Gateway Appliance, a firewall designed to protect email communications.

Barracuda disclosed the vulnerability in 2023, warning that state-backed hacking groups had exploited it. The VSSE and the Belgian Pipeline Organisation, which oversees North Sea pipelines, were among the affected entities.

Politico notes that cybersecurity researchers from Google’s Mandiant division previously linked the attack to a Chinese cyberespionage group. The Chinese embassy in Belgium did not immediately respond to requests for comment.

The breach’s timing was particularly concerning, as it occurred during a recruitment drive to expand VSSE’s workforce. Many of the agency’s new hires—some still undergoing security clearance—may have had their personal data compromised, as detailed by BT.

Following an internal audit, VSSE filed an official complaint in November 2023. The Federal Prosecutor’s Office has since launched a judicial investigation but has not disclosed any preliminary findings. Prosecutors said it was too early to disclose findings as the investigation remains ongoing, reported Reuters.

The case has also been referred to Belgium’s intelligence oversight body, the R Committee. Chair Vanessa Samain confirmed that VSSE reported the breach in June 2023, but the committee’s findings remain classified, says BT.

Intelligence sources indicate that in response to the breach, VSSE has ended its use of Barracuda products and advised affected staff to renew identity documents to prevent fraud.

Despite concerns that stolen data could be sold on the dark web, no evidence of such activity has surfaced. Officials remain uncertain whether VSSE was the primary target or if it was caught in a larger espionage campaign.