The computer system of the Belgian government’s home affairs ministry was reportedly infiltrated by Chinese hackers in 2019 who exploited vulnerabilities in Microsoft’s Exchange system to gain persistent access to the network and exfiltrate data to their own servers.
Earlier today, Belgian daily De Standaard revealed that hackers, who are believed by the Belgian government to be state-sponsored Chinese actors, infiltrated the systems of the federal home affairs ministry which maintains the population register, police databases, election management, and crisis management data.
According to the Centre for Cyber-Security Belgium (CCB), the intrusion may have occurred as far back as April 2019, indicating that the hackers stayed inside the federal ministry’s network for nearly two years until cyber experts finally detected the intrusion.
“In March 2021, CCB cyber experts found traces of suspicious manipulation dating back to April 2019. This is a very complex attack, for which hackers have resorted to techniques specifically designed to infiltrate a network undetected and to remain there as long as possible,” CCB said.
“The complexity of this attack indicates that this is an advanced and proficient attacker with extensive cyber capabilities, probably used for espionage purposes.”
The Federal Public Service Interior (FPS) ministry also issued a statement in reference to the cyber intrusion, terming it “a complex, sophisticated and targeted cyber attack” and that the determination and discreet character of the hacker arousing suspicions of cyber espionage.
The ministry said that when CCB patched its Microsoft Exchange servers with updates issued by Microsoft on March 2 this year, the agency carried out further investigations and discovered traces of intrusion dating back to April 2019.
“Earlier this year, Microsoft was made aware of a series of vulnerabilities in its Exchange servers. These are email servers used worldwide by thousands of companies. Microsoft released updates on March 2 to once again protect its systems.
“The FPS Interior also uses Microsoft Exchange servers and has requested assistance from the CCB. The SPF, like thousands of businesses around the world, has been vulnerable and “entry points” have been discovered on the network. These were closed and the updates were immediately applied, but the CCB also carried out more extensive monitoring.
“It was during this investigation that the CCB’s cyber-experts identified subtle tracks of questionable acts on the SPF network. The first tracks date from April 2019 and indicate a very sophisticated cyberattack. The complexity of this attack indicates an actor who has cyber capacities and extensive resources. The perpetrators acted in a targeted manner, which is reminiscent of espionage,” the ministry said.
While the attacker’s access to the FPS computer network has been stopped and all important information has been secured, it is pertinent to note that the intrusion went undetected for nearly two years. During this time, it is possible that hackers behind the intrusion exfiltrated vast amounts of data back to their own servers, even though confirmation of the exfiltration is yet to arrive. The discovery also confirms that vulnerabilities in the Microsoft Exchange system were known to hackers long before Microsoft discovered the flaws.
“Comments from Microsoft indirectly suggest that the victim was aware of the critical 0day vulnerabilities in MS Exchange Server much earlier than in March 2021 when they were publicly disclosed by Microsoft. Such a protracted reaction and catastrophic consequences may trigger severe legal ramifications for the tech giant and negatively impact its business in a long-term perspective,” says Ilia Kolochenko, founder of ImmuniWeb.