Dutch intelligence says Chinese hacking campaign ‘more extensive’ than previously known

The Dutch military intelligence and security service (MIVD) is warning that a global Chinese cyber-espionage campaign is likely “much more extensive than previously known.”

An alert published on Monday by the country’s National Cyber Security Centre (NCSC) says that the state-sponsored hackers behind the spying operation were exploiting a vulnerability in FortiGate devices for “at least two months before Fortinet announced the vulnerability.”

The vulnerability, tracked as CVE-2022- 42475 was exploited during this “so-called ‘zero day’ period” to infect 14,000 devices, according to the alert, with targets including “dozens of (Western) governments, international organizations and a large number of companies within the defense industry.”

The MIVD, alongside the Dutch signals intelligence service AIVD, made a rare joint announcement last year that the campaign had allowed the Chinese hackers to breach an internal computer network used by the Dutch Ministry of Defence.

After gaining access to the Dutch Defence network, the hackers deployed a remote access trojan (RAT) the intelligence agency named COATHANGER to conduct reconnaissance of the computer network and exfiltrate a list of user accounts from the Active Directory server.

Following the publication of that report, the MIVD said it continued to investigate the campaign and discovered the hackers had “gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023.”

The agency said it wasn’t known how many of these victims had the COATHANGER malware installed but warned that despite its technical report on the RAT, infections are “difficult to identify and remove.”

“The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims,” the report warns.