Hackers breach Belgian intelligence mail through vulnerable Barracuda system, lurk for two years

Belgian federal prosecutors have launched an investigation into a cybersecurity breach of the State Security Service (VSSE), Belgium's civilian intelligence agency. The breach, attributed to Chinese state-sponsored hackers, reportedly persisted for nearly two years between 2021 and 2023, making it the largest data breach in VSSE's history.

According to reporting by Belgian newspaper Le Soir and confirmed by federal prosecutors on February 26, 2025, the attackers exploited a vulnerability in email security products from the American cybersecurity firm Barracuda Networks. This breach allowed the hackers to intercept approximately 10% of all incoming and outgoing email communications from the intelligence service.

While the investigation is ongoing, preliminary findings indicate that the attack targeted VSSE's external mail server, not internal classified systems. Personal information of nearly half of VSSE's employees may have been compromised. On top of that, the breach coincided with an active recruitment period, increasing the volume of sensitive personal data transmitted

No details about the number of affected individuals or exposed data types are disclosed.

Belgian intelligence officials claim that classified intelligence data remained secure, as it was stored on separate systems not connected to the compromised email infrastructure.

VSSE has completely discontinued use of Barracuda cybersecurity solutions, and has implemented additional data protection measures. The case has been referred to both the federal prosecutor and Committee R (which oversees intelligence services)

Belgian intelligence is actively monitoring dark web forums for any appearance of the stolen data. Currently no evidence is found that the stolen information has appeared on the dark web marketplaces.