Chinese Cyber-Espionage Breaches Dutch Defence Networks with Persistent Malware. A cyber-espionage group from China infiltrated the Dutch Ministry of Defence’s network last year, introducing malware into the compromised systems, the Netherlands’ Military Intelligence and Security Service (MIVD) reported. Despite the successful breach and insertion of backdoors into the hacked systems, the impact was mitigated by the network’s segmentation.
The compromised network, isolated from the broader MOD networks, served fewer than 50 users focusing on research and development (R&D) of non-classified projects and engaged in partnerships with two external research institutes, all of which have been informed about the breach.
In the course of the investigation, an unknown type of malware, named Coathanger, a remote access trojan (RAT) targeting Fortigate network security appliances, was identified within the network. The COATHANGER malware is characterized by its persistence, capable of reinserting itself after system reboots and enduring through firmware updates. This persistence is achieved by embedding a backup within the system’s reboot process, posing a threat even to FortiGate devices that have been updated with the latest patches if they were compromised beforehand.
The malware ensures its concealment and continuous operation by intercepting system calls, thus remaining undetected, and is capable of maintaining its presence across system restarts and firmware updates.
While no specific group has been directly blamed for the attack, the MIVD attributes this incident to a Chinese state-backed hacking group with high certainty, indicating it as part of China’s broader strategy of political espionage against the Netherlands and its allies.
Chinese Cyber-Espionage Breaches Dutch Defence Networks with Persistent Malware
The hackers exploited a vulnerability in FortiGate firewalls, identified as CVE-2022-42475, to implant the Coathanger malware for espionage. This vulnerability had previously been used in targeted attacks against governmental entities and was disclosed by Fortinet in January 2023.
This incident mirrors other espionage campaigns by Chinese hackers, including attacks on unpatched SonicWall Secure Mobile Access (SMA) appliances with malware that also withstands firmware updates. Organizations are advised to promptly install vendor-released security updates for their internet-facing devices to avert similar threats.
This disclosure marks the first occasion the MIVD has publicly shared a technical report detailing the methods employed by Chinese hackers, as stated by Defense Minister Kajsa Ollongren. The aim is to attribute these espionage activities to China and bolster international defenses against such cyber espionage tactics.
Security Breaches at Magna’s Karmax Facility: A CTPAT Compliance Crisis.(Opens in a new browser tab)
What is Healthcare Cybersecurity in organizations?(Opens in a new browser tab)
What Is Cybersecurity?(Opens in a new browser tab)
1.8 Million Users Attacked by Android Banking Malware, 300% Increase Since 2017(Opens in a new browser tab)
4 Important shifts companies need to make in this fast pace IT industry(Opens in a new browser tab)