The Belgian State Security (VSSE) has been affected by a cyber incident. Attackers exploited vulnerabilities in Ivanti software to gain access to the personal data of employees of the intelligence service.
According to RTBF, classified data remained secure, but the exposure of contact information raises questions about the agency’s operational security.
The attack took place between May 2025 and the spring of 2026. Attackers exploited security vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), software used to manage and secure mobile devices. The State Security Service uses the platform to manage service phones and control access rights.
An internal investigation revealed that attackers gained access to employee data, including names, phone numbers, and email addresses. Data from external contacts may also have been compromised. According to Ivanti, the vulnerabilities also allowed attackers to steal device identifiers and GPS data.
Part of a Broader Campaign
According to sources close to the investigation, the attackers did not gain access to internal systems that process confidential and classified information. Nevertheless, the stolen data could be valuable. Metadata such as phone numbers, email addresses, and location data can help map out organizational structures and work relationships.
The vulnerabilities in Ivanti EPMM have been actively exploited for some time. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously warned that attackers were using the vulnerabilities to collect and exfiltrate data.
Moreover, this incident is not an isolated one. The same vulnerabilities have previously been linked to security incidents at organizations including the European Commission, the Dutch Judiciary, the Dutch Data Protection Authority, and the Dutch Correctional Services Agency. This suggests that the attack on the Belgian State Security Service is part of a broader campaign targeting organizations that used Ivanti’s mobile management platform.
Some security firms link these attacks to UNC5221, a cyberespionage group believed to have ties to China. However, no formal attribution has been established for the attack on the Belgian State Security Service.
Not the first incident
The vulnerabilities in Ivanti EPMM have since been patched. It is unknown how long the attackers had access to the system before the incident was discovered. The State Security Service has not provided a substantive response.
Moreover, this is not the first time the Belgian intelligence service has been targeted. Between 2021 and 2023, attackers exploited a vulnerability in Barracuda software that, according to Belgian media, enabled them to intercept approximately 10% of email traffic via an external server. In that instance as well, classified data remained out of reach, but personal data was exposed. Although both attacks share similarities, no link between the incidents has been established.