Dutch Defense Networks Infiltrated by Chinese State-Backed Spies in Cyber-Espionage Plot

In a recent report released by the Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) of the Netherlands, it was revealed that Chinese state-backed spies successfully infiltrated Dutch defense networks last year. The spies used a novel malware called “Coathanger” in an attempt to steal sensitive information from the Dutch defense system.

The initial intrusion into the defense networks was initiated through the exploitation of a zero-day vulnerability, CVE-2022-42475. Fortinet, a cybersecurity firm, had published a critical advisory for this vulnerability in December 2022 and warned that it was being exploited by an “advanced actor” in attacks on governmental or government-related targets.

After the initial exploitation, the Chinese threat actors deployed the Coathanger malware, which was described as “stealthy and persistent” by the Dutch intelligence report. The malware is a remote access Trojan (RAT) that hides itself by hooking system calls and has the ability to survive reboots and firmware upgrades. According to the report, the use of Coathanger may be relatively targeted, as the Chinese threat actors scanned for vulnerable edge devices at scale and introduced the malware as a communication channel for select victims.

Despite the successful infiltration, Dutch network defenders were able to foil the cyber-espionage plot. The report revealed that the Chinese threat actors conducted reconnaissance of the defense network and exfiltrated a list of user accounts from the Active Directory server. However, the impact of the intrusion was limited because the victim network was segmented from the wider Ministry of Defense networks.

Notably, this report marks the first time the Netherlands has publicly called out Beijing for state-sponsored hacking. The country’s tech giant, ASML, plays a critical role in the global supply chain for advanced chips, which has raised the profile of the small northern European nation among certain governments.

The attack on Dutch defense networks is seen as part of a broader trend where threat actors target edge devices such as VPNs, email servers, and firewalls, which are connected to the public internet but often not protected by endpoint detection and response (EDR) monitoring. The Dutch intelligence services have advised organizations to mitigate edge device threats by regularly performing risk analysis, limiting internet access, analyzing logs for anomalous activity, installing the latest security updates, and replacing hardware and software that is no longer supported.

This cyber-espionage incident serves as a stark reminder of the persistent and evolving threats posed by state-sponsored hackers, especially in targeting vulnerable edge devices. It also underscores the need for organizations and governments to remain vigilant in detecting and mitigating such threats in a timely manner.

Source link