Cyber Incident Victim: Belgium's trade mission to China
Date:
Nov 2019
Location:
China
Summary
A Belgian trade mission in China experienced a significant cyberattack attributed to Chinese sources, involving 135 bot-driven attacks per hour—far exceeding typical threat levels from the region. The delegation, which included government officials and corporate representatives, had implemented preparatory measures such as disposable mobile devices and security briefings, with cybersecurity experts monitoring the situation. Attackers employed bots and attempted to install spyware targeting sensitive political data, passwords, and proprietary product information, potentially for post-mission espionage. Security personnel utilized honey-pot techniques to analyze attack methods, confirming suspicions of state-linked involvement. Prior warnings from Belgian authorities about such threats had prompted defensive actions, though some participating companies were assessed to have underestimated risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2019, Belgium's largest-ever trade mission to China experienced a sustained cyber-attack campaign attributed to Chinese sources. The delegation, led by Princess Astrid and including Belgian ministers, had been briefed on cybersecurity risks by both private firm Secutec and Belgian state security prior to departure. Precautionary measures included issuing disposable mobile phones to delegates and establishing response protocols for mission leadership. Secutec cybersecurity expert Geert Baudewijns, who accompanied the delegation, documented 135 automated bot-driven attacks per hour during peak activity on the Monday preceding November 23. The volume significantly exceeded typical attack rates originating from China against Belgian targets. Baudewijns employed honeypot techniques using both protected and unprotected devices to analyze attack methodologies, revealing attempts to install persistent spyware designed for activation after the delegation's return to Belgium.
The attacks primarily targeted politically sensitive information, commercial product details, and credential harvesting through password compromise. While no confirmed data breaches were reported, Baudewijns advised all participating companies—several of which were Secutec clients—to reset devices and change credentials as precautionary measures. Belgian state security's pre-mission warnings about such threats were validated by the incident's scale. The cybersecurity team identified Chinese state security actors as likely perpetrators based on attack patterns and targeting. Post-incident, Baudewijns initiated development of formalized cybersecurity protocols for future trade missions, incorporating lessons from the observed bot-driven tactics and espionage techniques. The delegation maintained operational continuity throughout the mission despite the sustained attack campaign.