Cyberattacks targeting government email servers have intensified in recent years, a trend that experts warn is expected to continue. This concern follows a recent breach involving a cyber-espionage group linked to China, which infiltrated the email servers of Belgium’s intelligence agency.

On February 26, the Belgian federal prosecutor confirmed an investigation into the cyberattack targeting the country’s State Security Service (VSSE). According to a report by Belgian newspaper Le Soir, the attackers accessed approximately 10% of the VSSE’s incoming and outgoing emails between 2021 and May 2023. While classified data remained secure due to external hosting, the breach may have compromised personally identifiable information (PII) of nearly half of the agency’s personnel.

The hackers reportedly gained access to VSSE’s email systems by exploiting a critical remote command injection vulnerability, CVE-2023-2868, found in Barracuda Networks’ Email Security Gateway (ESG) appliance. Following the discovery of this security flaw, Barracuda enlisted Google security subsidiary Mandiant to investigate.

Mandiant tracked the espionage campaign to October 2022, identifying the threat actor as UNC4841. The firm established with "high confidence" that the group was connected to the Chinese government. UNC4841 reportedly distributed emails embedded with malicious attachments designed to exploit CVE-2023-2868, targeting various global organizations, including Belgian VSSE.

In response to the incident, VSSE ceased using Barracuda’s ESG appliance in 2023. Addressing concerns about the timeline of the breach, a Barracuda spokesperson clarified:

“Exploitation of the vulnerability impacting less than five percent of Email Security Gateway appliances took place in 2023 – not 2021. Our investigation data confirms that the vulnerability was not exploited in 2021. Barracuda promptly remediated the issue, which was fixed as part of the BNSF-36456 patch and applied to all customer appliances.”

Email systems remain a preferred target for cybercriminals due to their role in communication, credential storage, and document exchange. High-profile cyber incidents, such as the Hafnium attack in 2020 and multiple government email breaches in 2023, underscore the risks associated with these platforms.

Vito Alfano, head of digital forensic and incident response at Group-IB, emphasized the long-standing threat posed by advanced persistent threats (APTs):

“APTs regularly target publicly exposed services, such as email systems, used by their victims and it has always been a long-standing tactic. Since 2006, nation-state-linked threat actors have targeted mail systems to gain access to confidential information.”

He referenced past attacks, including the APT28 breach of the US Democratic National Committee (DNC) in 2016, highlighting how state-sponsored hackers have historically leveraged email vulnerabilities for intelligence gathering and further infiltration. Alfano further explained the strategic importance of email servers for cyber-espionage campaigns:

“Email servers cover a central role in communication, credential management, document exchange, and they often represent a link between the external world and the internal protected perimeter of a targeted company. For this reason, APT groups consider them a high-value target.”

Once inside an email system, attackers can exploit login credentials to move laterally within an organization’s infrastructure. Additionally, compromised email servers can serve as a launchpad for supply chain attacks, particularly when third-party vendors and contractors use government email services.

Cyber-espionage groups often aim to maintain access for extended periods, allowing them to monitor assets and execute more sophisticated attacks. Alfano warned:

“Email servers also grant access to highly sensitive information and communications making them perfect for a long-term silent espionage campaign, allowing the access to sensitive mails or to be used to forge crafted phishing and impersonation attacks.”

The attack on Belgian VSSE exemplifies this strategy, with hackers likely seeking to exploit confidential data for further infiltration or intelligence operations.