Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Dutch intelligence warns of extensive Chinese hacking campaign

Dutch intelligence warns of extensive Chinese hacking campaign

The Dutch military intelligence and security service (MIVD) has revealed that a global Chinese cyber-espionage campaign’s scope was far greater than previously thought.

 

What happened

Dutch intelligence services have unearthed a Chinese-sponsored cyber-espionage campaign that infected at least 20,000 of the network security app, FortiGate, devices worldwide, including those used by Western governments, diplomatic missions, and the defense industry. 

In a press release on June 10, the Dutch National Cyber Security Centre (NCSC) disclosed the results of its ongoing investigation, stating the campaign has “proven to be far more extensive than previously acknowledged.”

In February, the MIVD and the General Intelligence and Security Service (AIVD) discovered new malware in several FortiGate devices. Their research revealed that by exploiting a vulnerability (CVE-2022-42475), the threat actor gained access to at least 20,000 devices globally in 2022 and 2023. The actor exploited this vulnerability at least two months before its formal disclosure, infecting as many as 14,000 devices during this zero-day period.

 

Going deeper

The MIVD and AIVD disclosed that last year, Chinese hackers breached an internal computer network of the Dutch Ministry of Defence. They deployed a Remote Access Trojan (RAT) named COATHANGER to conduct network reconnaissance and exfiltrate user account lists. 

Despite technical reports detailing the malware, detecting and mitigating these infections remain challenging as COATHANGER is persistent, surviving firmware upgrades and maintaining access after system reboots by injecting itself into the reboot process.

 

What was said

According to a joint publication of the Ministry of Defence of the Netherlands, “MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China.”

The MIVD & AIVD also “emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies.”

The MIVD & AIVD recommends that affected organizations:

  • Isolate the affected FortiGate devices immediately.
  • Collect and review relevant logs, data, and artifacts from compromised devices. "Extract a forensic image from the device for further detailed analysis of the attack."
  • Consider contacting a third-party specialized in incident response. "Assistance in following up on the incident helps ensure that the malicious actor is eradicated from the network. This could avoid a new compromise of the network from the same actor."
  • Report the incident to the NCSC of the Netherlands.

Furthermore, “To limit risks from adversaries that make use of known vulnerabilities to gain initial access to a victim, it is important to have a robust level of basic information security within your organization.” 

Steps organizations can take to defend against COATHANGER:

  • Install the most recent security patches from the vendor on internet-facing (edge) devices promptly.
  • Implement security best practices from the manufacturer of the device.
  • Before adding or enabling features on internet-facing devices, "execute a risk analysis for the mandatory and/or needed features before enabling these features on the device. Unnecessary features should be disabled."
  • Restrict access to the internet from internet-facing devices by "disabling unnecessary services and ports and [disabling] access to the management interface from the internet."
  • Monitor event logs for abnormal activity, such as "logons outside of working hours, unusual or unexpected external connections, and unauthorized configuration changes on the device."

 

Why it matters

This state-sponsored cyber espionage exploits vulnerabilities long before detection, posing risks to national security and international stability. It also aligns with Chinese cyber-espionage against various nations, including recent attacks on India, the UK, and the US.

 

The bottom line

The NCSC urges increased vigilance against exploits targeting edge devices like routers and firewalls. To enhance cybersecurity defenses, organizations are recommended to assume a breach and install security patches on internet-facing devices, follow the manufacturer's security guidelines, disable unnecessary services and ports, restrict access to management interfaces, and monitor logs for suspicious activity.

Read also: 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.