An investigation is underway in Belgium into an alleged cyber breach of the country’s state security service, VSSE, reportedly carried out by hackers backed by the Chinese government.

The Belgian federal prosecutor’s office issued a statement to TechCrunch on Friday, confirming that an investigation into the alleged cyberattack was launched in November 2023, after initial reports of the breach surfaced.

This development corroborates an earlier report by the French-language Belgian newspaper, Le Soir, which revealed that a Chinese hacking group had gained unauthorized access to the external mail server of the VSSE between 2021 and 2023.

According to reports, the unidentified Chinese hacking group exploited a vulnerability in the software of U.S. cybersecurity firm Barracuda. The vulnerability, which was first disclosed by Barracuda in May 2023, affects the company’s Email Security Gateway (ESG) appliance, a firewall designed to filter out potentially malicious email content.

When contacted by TechCrunch, Barracuda spokesperson Lesley Sullivan deflected questions regarding the breach, stating that inquiries should be directed to VSSE. However, VSSE has not responded to TechCrunch’s requests for comment.

Security researchers at U.S. cybersecurity firm Mandiant previously reported that the vulnerability had been exploited as a zero-day by a China-backed cyberespionage group to target organizations worldwide. Notably, nearly a third of the targeted organizations were government agencies, according to Mandiant.

Although a patch was released to address the vulnerability, Barracuda subsequently advised all affected customers to replace the impacted ESG appliances and rotate any associated credentials, recommending that they also check for signs of compromise dating back to at least October 2022.

As reported by Le Soir, the China-backed hackers exploited the Barracuda flaw to exfiltrate approximately 10% of the Belgian intelligence service’s incoming and outgoing emails. While classified information remained unaffected, the personal data of nearly half of VSSE’s employees was compromised, including identity documents, resumes, and internal communications.

Following the cyberattack, which was initially reported by local media in July 2023, VSSE reportedly discontinued its use of Barracuda’s products.

Zack Whittaker contributed to this report.