Chinese state-backed hackers breached a Dutch military network by exploiting a known security vulnerability in Fortinet FortiGate devices. This intrusion, which occurred in 2023, targeted a self-contained research and development system utilized by the Dutch armed forces. Despite leveraging a critical flaw in FortiOS SSL-VPN, the breach did not result in damage to the broader defense network, as confirmed by the Dutch Military Intelligence and Security Service (MIVD). However, the successful exploitation allowed the deployment of a stealthy backdoor named COATHANGER, designed to grant persistent remote access to compromised appliances.
The COATHANGER malware, as identified by the Dutch National Cyber Security Centre (NCSC), exhibited stealthy and persistent characteristics, capable of evading detection by hiding itself through system call hooking. Its resilience extended to surviving reboots and firmware upgrades, emphasizing the sophistication of the cyber attack. This incident marks the first public attribution of a cyber espionage campaign to China by the Netherlands, highlighting escalating concerns over state-sponsored threats and cyber warfare tactics employed by nation-states.
The breach underscores the growing sophistication of state-sponsored cyber threats, with Chinese threat actors exploiting vulnerabilities in widely used networking devices to infiltrate sensitive military networks. This revelation follows previous incidents involving China-based threat actors targeting European government entities and managed service providers. Moreover, the deployment of COATHANGER comes amidst broader international efforts to combat cyber threats, as evidenced by recent actions taken by U.S. authorities to dismantle botnets associated with Chinese threat actors.
Notably, the breach also highlights the significance of zero-day vulnerabilities in network appliances, as evidenced by previous exploits by China-nexus cyber espionage groups targeting Fortinet devices. Such vulnerabilities have enabled threat actors to deploy sophisticated implants for executing arbitrary commands and exfiltrating sensitive data, underscoring the critical need for robust cybersecurity measures and prompt patch management practices in safeguarding against evolving cyber threats.
- MIVD reveals working method of Chinese espionage in the Netherlands
- New Malware Highlights Continued Interest in Edge Devices