The Record: Chinese state-sponsored hackers broke into an internal computer network used by the Dutch Ministry of Defence last year, according to the Netherlands. Both the country’s military (MIVD) and civilian (AIVD) security services said the ministry had been hacked for espionage purposes after the threat actor exploited a vulnerability in FortiGate devices.
🔗 https://therecord.media/dutch-find-chinese-hackers-networks-fortinet
The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects were limited because of prior network segmentation.
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code.
The COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls thatcould reveal its presence. It survives reboots and firmware upgrades.
MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
MIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s)scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
Organizations that use FortiGate devices can check if they are affected using the detection methods described in section 4 of this report. Refer to section 5 for advice for incident response.
Action that organizations can take to prevent future malicious activity: for all internet-facing (edge)devices, install security patches from the vendor assoon as they become available. More preventive steps are described in section 5 of this report.