A recent report by the Military Intelligence and Security Service (MIVD) of the Netherlands revealed that a Chinese hacking group successfully breached the Dutch Ministry of Defence last year, deploying malware on compromised devices. Despite the infiltration, the damage was somewhat contained due to network segmentation.
The victim network of the breach had fewer than 50 users and was primarily used for research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. The network was segmented from wider MOD networks, limiting the effects of the intrusion. The relevant organizations were notified of the incident.
Among the discoveries made during the investigation was a previously unknown malware strain called Coathanger, identified as a remote access trojan (RAT) designed to infect Fortigate network security appliances. The persistency of the Coathanger implant was particularly alarming, as it was found to recover after every reboot and survive firmware upgrades, compromising even fully patched FortiGate devices.
The Chinese state-sponsored hacking group responsible for the attack has not been specifically identified, but the agencies linked the incident to a broader pattern of Chinese political espionage targeting the Netherlands and its allies.
The hackers deployed the Coathanger malware for cyber espionage on vulnerable FortiGate firewalls by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability. This vulnerability was also found to have been exploited in attacks targeting government organizations and related targets, as previously disclosed by Fortinet in January 2023.
The attacks using the Coathanger malware share similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware designed to survive firmware upgrades. Organizations are advised to promptly apply security patches from vendors for all internet-facing devices to prevent similar attack attempts.
Defense Minister Kajsa Ollongren emphasized the importance of attributing such espionage activities to China and making the technical report on the working methods of Chinese hackers publicly available in order to increase international resilience against this type of cyber espionage.
This breach and the subsequent discovery of the Coathanger malware highlight the ongoing threat of state-sponsored hacking and cyber espionage, underscoring the need for heightened cybersecurity measures and collaborative efforts to address and mitigate such threats. The need for prompt and comprehensive application of security patches serves as a critical reminder for organizations to remain vigilant in protecting their networks and devices from potential cyber threats.