Dutch intelligence finds Chinese hackers spying on secret Defence Ministry network

Chinese state-sponsored hackers broke into an internal computer network used by the Dutch Ministry of Defence last year, the Netherlands said Tuesday.

In a rare announcement, both the country’s military (MIVD) and civilian (AIVD) security services said the ministry had been hacked for espionage purposes after the threat actor exploited a vulnerability in FortiGate devices, as first reported by Reuters.

The MIVD said it found the malware on a compartmentalized computer network used by the country’s armed forces for unclassified research and development.

“Because this system was self-contained, it did not cause damage to the Defense network,” the agency stated.

Defense Minister Kajsa Ollongren said: “For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China. In this way we increase international resilience against this type of cyber espionage.”

According to the intelligence agencies’ report, the hackers gained initial access through the CVE-2022-42475 vulnerability, which Fortinet had warned in January was being exploited by an “advanced actor” to target government networks.

After gaining access to the Dutch Defence network, the hackers deployed a remote access trojan (RAT) the report names COATHANGER to conduct reconnaissance of the computer network and exfiltrate a list of user accounts from the Active Directory server.

“Although this incident started with abuse of CVE-2022- 42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices,” the report stated.

The name of the RAT was “derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’,” according to the report, which provides remedial steps for network defenders.

It follows another vulnerability discovered in FortiGate devices last year — tracked as CVE-2023-27997 — that provoked enormous concerndue to the widespread usage of the product among government organizations.

Shortly after the vulnerability was disclosed, researchers warned there were hundreds of thousands of vulnerable interfaces exposed to the internet, nearly 70% of all of the installations online.

Christopher Glyer of the Microsoft Threat Intelligence Center questioned last year whether the same vulnerability was used in attacks by a Chinese-linked threat group tracked as Volt Typhoon that hacked critical infrastructure in Guam.

Fortinet said that it was not linking the exploit to Volt Typhoon “at this time” but warned it expected “all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices.”

Updated Feb. 7, 2024 at 9:15am EST with additional technical details about the vulnerability being exploited.