A vulnerability that has been exploited by hackers for months also affects state security in Belgium and the Belgian Pipeline Organization (BPO).

In early June, it became known that a vulnerability in Barracuda Networks email software had been exploited by hackers to steal sensitive data since October of last year. The zero-day was in Barracuda Email Security Gateway (ESG) versions 5.1.3.001 through 9.2.0.006 and has since been patched.

According to Knack, it now appears that zero-day is having an impact on two government services: State Security and the BPO. The latter is a military unit that maintains pipelines. Defense Cyber​​Command is conducting a forensic investigation.

Internal sources within State Security and the BPO emphasize that State Security itself was not hacked. They use two separate data networks. The external email network was affected as it was secured with Barracuda hardware. The internal network of secret information was hit.

The State Security reported the hack to their superiors, Committee I and the Center for Cybersecurity Belgium (CCB).

Research is still ongoing

Göran Boudry, head of the BPO, confirms to Knack that Barracuda informed them. “Our initial guess is that the hackers didn’t get past the Barracuda system, but that has yet to be confirmed.”

The Defense Cyber​​Command forensic investigation is still ongoing. He also confirms the situation and has sent a team to the BPO on site several times. “Another action plan will be rolled out in the coming weeks,” said General Michel Van Strythem, chief of cyber command.

Since discovering zero-day, Barracuda has indicated that about 5 percent of active ESG hardware could be compromised. Affected customers could receive a replacement product free of charge. On May 31, 2023, Barracuda notified all customers.