A report from the Military Intelligence and Security Service (MIVD) of the Netherlands has revealed that the Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices. Despite the breach, the damage was limited due to network segmentation, which helped contain the intrusion.
The victim network, which had fewer than 50 users, was focused on research and development of unclassified projects and collaboration with two third-party research institutes. The two Dutch agencies, MIVD and the General Intelligence and Security Service (AIVD), emphasized that the organizations involved have been notified of the incident.
Further investigations unveiled a previously unknown malware strain named Coathanger, a remote access trojan (RAT) designed to infect Fortigate network security appliances. The COATHANGER implant was found to be persistent, recovering after every reboot and surviving firmware upgrades, making it a challenging threat to eradicate.
While the attacks were not linked to a specific threat group, MIVD expressed high confidence in attributing this incident to a Chinese state-sponsored hacking group. They also noted that this malicious activity is part of a broader pattern of Chinese political espionage targeting the Netherlands and its allies.
The Chinese hackers deployed the Coathanger malware for cyber espionage purposes on vulnerable FortiGate firewalls they compromised by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability. This vulnerability was also used as a zero-day in attacks targeting government organizations and related targets.
The attacks on FortiGate firewalls share similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware designed to survive firmware upgrades. In light of these cyber threats, organizations are being urged to promptly apply security patches from vendors for all internet-facing devices to prevent similar attack attempts.
Defense Minister Kajsa Ollongren emphasized the importance of making the working methods of Chinese hackers public in order to attribute and increase international resilience against cyber espionage activities. This move aims to bolster global efforts to defend against such attacks and minimize the impact of malicious activities orchestrated by state-sponsored hackers.
The detailed technical report provided by MIVD sheds light on the increasingly sophisticated tactics employed by cyber-espionage groups and serves as a reminder of the importance of timely security measures and vigilance in the face of evolving cyber threats. The Dutch authorities’ proactive approach in disclosing these cyber-espionage activities contributes to international cybersecurity efforts and promotes collaboration in safeguarding critical infrastructure and sensitive information from malicious actors.