The blow came not to archives, but to digital traces that usually go unnoticed.
Sometimes the vulnerability of intelligence agencies is revealed not through secret documents, but through everyday work tools — for example, official phones. In Belgium, this layer of infrastructure was compromised: from May 2025 to spring 2026, attackers gained access to the personal data of employees of the Belgian State Security Service through a system of an external contractor responsible for protecting mobile devices.
According to RTBF, the attack was linked to the exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile. The Belgian intelligence used this Ivanti solution to manage official smartphones and access internal services. During an infrastructure review, it was established that the attackers exploited weaknesses in the system and gained access to a data repository related to telephony and email of work devices.
At risk were names, surnames, phone numbers, email addresses, and device identifiers. According to Ivanti's technical documentation, information about the geolocation of smartphones may also be accessible in such incidents. RTBF sources report that data about contacts of employees who used official phones could also be at risk.
Such leaks are dangerous not so much for the content of secret information, but for the possibility of reconstructing the organization’s structure from indirect data. A foreign intelligence agency or hacker group could use such information to analyze the connections, composition, and internal structure of the intelligence service.
According to sources, the most sensitive data was not stolen: the attackers did not gain access to internal networks where secret materials are processed. Such systems are isolated and use secure communication channels. The Belgian State Security Service declined to comment on the incident.
The origin of the attack has not yet been established. Some analysts link the exploitation of Ivanti vulnerabilities to the group UNC5221, which is suspected of connections to China, but there is no official confirmation of this version. The Belgian Federal Prosecutor's Office and the Belgian Cybersecurity Center also did not provide comments.
Earlier, the Belgian Cybersecurity Center warned that vulnerabilities in Ivanti EPMM are already actively being exploited by attackers to execute commands in systems and extract data. After the incident, the intelligence service took response measures, but their nature has not been disclosed. Among the general recommendations from the center are the installation of security updates and changing passwords.
Leave a comment