Belgian authorities are investigating Chinese hackers for breaching its State Security Service (VSSE), stealing 10% of emails from 2021 to May 2023.
The Belgian federal prosecutor’s office is probing a possible security breach on its State Security Service (VSSE) by China-linked threat actors.
Chinese hackers gained access to the VSSE’s email server between 2021 and May 2023, stealing 10% of staff incoming and outgoing emails.
“For nearly two years, hackers working for Chinese espionage exploited a breach in an American cyber company to siphon off 10% of the Belgian intelligence service’s incoming and outgoing emails.” reads the post by the Belgian website Le Soir. “Classified information is not affected, but personal data of nearly half of the members of the Sûreté is potentially compromised.”
Reuters confirmed that Belgian authorities are probing into alleged Chinese hacking of Belgium’s intelligence service VSSE in November 2023.
“The Belgian federal prosecutor said on Wednesday it had started a probe into alleged Chinese hacking of Belgium’s intelligence service VSSE in November 2023, confirming an earlier report by Belgian daily Le Soir.” reported Reuters. “The prosecutor added that it had received an accusation filed by VSSE in relation to the case.”
Threat actors exploited a vulnerability, tracked as CVE-2023-2868, in the Barracuda Barracuda Email Security Gateway Appliance (ESG) Vulnerability. The same systems were used by Belgian intelligence and the Belgian Pipeline Organisation, which monitors pipelines in the North Sea.
Attackers gained access to VSSE HR’s data, including IDs and CVs of staff and applicants. Belgium dropped Barracuda after its 2023 vulnerability disclosure.
No stolen VSSE data has surfaced on the dark web. At the time of this writing, the Chinese embassy in Belgium has yet to comment on the accusation.
“The timing of the attack was especially unfortunate, as we were in the midst of a major recruitment drive following the previous government’s decision to almost double our workforce,” an anonymous intelligence source told Le Soir. “We thought we had bought a bulletproof vest, only to find a gaping hole in it.”
In August 2023, Mandiant researchers reported that China-linked threat actors breached government organizations worldwide with attacks exploiting Barracuda ESG zero-day.
In June, Mandiant researchers linked the threat actor UNC4841 to the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.
“Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.” reads the report published by Mandiant. “Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.”
At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.
The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.
The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.
On May 30, 2023, the vendor provided a Preliminary Summary of Key Findings related to its investigation that includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers.
As per the vendor’s statement, the flaw has been exploited in real-world scenarios, with incidents dating back to October 2022 at the very least.
“Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” reads the update provided by the company.
Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.
The company confirmed that the CVE-2023-2868 was first exploited in October 2022.
The families of malware employed in the attacks are:
- SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
- SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
- SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.
In June, the company published a new statement urging customers to immediately replace the ESG appliances, regardless of patch version level.
According to Mandiant, starting as early as October 10, 2022, the UNC4841 group sent spear-phishing emails to victim organizations. The email contained a weaponized attachment crafted to exploit the flaw CVE-2023-2868 to access vulnerable Barracuda ESG appliances.
Once compromising the ESG device, UNC4841 was observed stealing specific data of interest, and in some cases, the attackers used the access to the appliance for lateral movement, or to send mail to other victim appliances. The threat actors also deployed additional tools to maintain a presence on ESG appliances.
Most of the attacks observed by Mandiant targeted the Americas (55%), followed by EMEA (24%), and APAC (22%). Almost one out of three affected organizations were government agencies, a circumstance that suggests that the attacks were carried out as part of a cyber espionage campaign.
At the end of July 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert on a malware variant, tracked as SUBMARINE Backdoor, that was employed in attacks exploiting the flaw CVE-2023-2868 in Barracuda Email Security Gateway (ESG) appliances.
In August 2023, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) observed a new backdoor, named Whirlpool, in attacks on Barracuda ESG appliances.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Belgium)
