A Chinese cyberespionage campaign that compromised the Netherlands’ defense ministry in February this year was much broader than initially believed, the Dutch authorities said.
In February, the Dutch Military Intelligence and Security Service (MIVD) disclosed that a China-linked threat actor compromised an internal computer network at the Dutch Ministry of Defense last year and deployed sophisticated malware for cyberespionage purposes.
The agency said that the malware was found on a standalone computer network used for unclassified Research and Development (R&D). Because this system was isolated, it did not cause damage to the Defense network. The attackers exploited a vulnerability in Fortinet FortiOS devices to plant a backdoor named 'Coathanger'.
The Dutch National Cyber Security Center (NCSC) decribed the malware as “a new Remote Access Trojan (RAT) that operates outside of traditional detection measures and is specifically designed for FortiGate devices.” The backdoor is able to survive reboot and firmware upgrade.
According to the country’s national cybersecurity center, the threat actor behind the campaign gained access to at least 20,000 Fortinet FortiGate systems worldwide within a few months in both 2022 and 2023 using a then zero-day vulnerability tracked as CVE-2022-42475. This is a heap-based overflow issue within FortiOS that could be used for remote code execution. Previously, this FortiOS SSL-VPN vulnerability was exploited by unknown threat actors in attacks on government organizations and government-related targets.
The Dutch authorities said that the threat actor was aware of the vulnerability in FortiGate systems for at least two months before the public disclosure. During “so-called ‘zero-day’ period” the group infected 14,000 devices, with targets including Western governments, international organizations and a large number of companies within the defense industry.
“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” the authorities said.