Dutch Defence Breached by Chinese Spies, Malware Contained

A Chinese cyber-espionage group has breached the computer network of the Dutch armed forces by exploiting a vulnerability in Fortinet FortiGate devices.

According to the Netherlands Military Intelligence and Security Service (MIVD), the compromised computer network was utilized for unclassified research and development (R&D). Since the system operated independently, it did not lead to any damage to the defense network. The network had fewer than 50 users.

During the hack, which occurred in 2023, attackers exploited a critical vulnerability in FortiOS SSL VPN (CVE-2022-42475, with a CVSS score of 9.8), allowing an unauthenticated attacker to execute arbitrary code through specially crafted requests.

Successful exploitation of the vulnerability paved the way for the deployment of a backdoor named COATHANGER from the hacker’s C2 server, designed to provide persistent remote access to compromised devices.

The Netherlands National Cyber Security Center explained that the COATHANGER malware is elusive and resilient. COATHANGER conceals itself by intercepting system calls that could reveal its presence. The program remains in the system even after updates or reboots.

It’s worth noting that this flaw was exploited as early as October 2022 in espionage campaigns by Chinese hackers targeting European government networks. At that time, the vulnerability was used to deliver the BOLDMOVE backdoor, specially designed to operate on Fortinet FortiGate firewalls.

The MIVD attributes the hacking attacks and malicious software to politically motivated hackers from China with high confidence. The malware was also found in the networks of a Western international mission and several other organizations. According to Dutch intelligence, the virus was specifically developed for FortiGate firewalls. This incident marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China.

Fortinet devices, according to Mandiant, are attractive targets for cybercriminals. These internet-facing devices, such as firewalls, IPS, and IDS devices, are appealing for several reasons.

Firstly, they have internet access, meaning that with the right exploit, network access can be achieved without any interaction with the victim, allowing the attacker to precisely control the timing of the operation and reduce the chances of detection.

Secondly, although network devices are designed to monitor network traffic, and look for anomalies, and signs of malicious behavior, they are often vulnerable to hacker attacks themselves.

Exploits for compromising such devices are complex to develop, hence they are frequently used against high-priority targets in the government and defense sectors.

According to Mandiant, there are currently no mechanisms to detect malicious processes running on such network devices, making them a blind spot for security professionals and allowing attackers to hide within them, maintaining stealth over a long period. They can also use them to establish a foothold in the target network.