Chinese Hackers Target Dutch Military R&D; Network

In a significant cybersecurity incident, Chinese state-backed hackers have targeted the Dutch armed forces by breaching into the network used for unclassified Research and Development. As reported by the Dutch Military Intelligence and Security Service (MIVD), the breach occurred this year, affecting a network that had less than 50 users.

Moreover, the attackers exploited a known critical flaw in the FortiOS SSL-VPN systems—CVE-2022-42475—to execute arbitrary code. They strategically deployed a piece of malware, dubbed COATHANGER, to gain persistent remote access to the compromised devices. Notably, this sophisticated malware remains undetected, surviving both reboots and firmware upgrades. The Netherlands notably took the unprecedented step of publicly attributing this cyber espionage to China, an action that underscores the severity of the breach.

The Dutch National Cyber Security Centre (NCSC) provided insights on the COATHANGER malware—it hides its traces by hooking system calls, illustrating its evasive nature. This strikingly different approach from previous campaigns, such as the BOLDMOVE backdoor, signals an evolving threat landscape.

This breach serves as a stark reminder of the persistent threat posed by state-sponsored cyber espionage. The newly discovered COATHANGER malware, likened to a plot device from Roald Dahl’s “Lamb to the Slaughter,” reveals a level of craftiness and dedication to remaining hidden. This incident occurred in concurrence with the dismantling of a botnet used to disguise malicious traffic, reflecting the dynamic tactics employed by attackers of this caliber.

Users and organizations leveraging Fortinet’s FortiGate systems are now on high alert. With the demonstration of the exploitability of such critical infrastructure, the need for increased vigilance and robust cybersecurity measures has never been more evident.

Organizations are encouraged to consult the detection script and indicators of compromise (IOCs) associated with COATHANGER, available through documentation provided by researchers. This knowledge empowers FortiGate users to assess whether they have been targeted and to implement the necessary defenses.

In light of these revelations, it is clear that the cybersecurity terrain is shifting. The complex and persistent nature of state-sponsored cyber threats demands a global response, heightened awareness, and rigorous proactive measures. The Dutch authorities, by sharing critical information about this incident, strive to bolster international resilience against such sophisticated espionage campaigns. The collaborative effort to counter these threats further solidifies the critical role of intelligence sharing in global cybersecurity defense strategies.