A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service (MIVD) of the Netherlands.
However, despite backdooring the hacked systems, the damage from the breach was limited due to network segmentation.
“The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks,” said MIVD and the General Intelligence and Security Service (AIVD) in a joint report.
“The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These organizations have been notified of the incident.”
RAT malware survives firmware upgrades
During the follow-up investigation, a previously unknown malware strain named Coathanger, a remote access trojan (RAT) designed to infect Fortigate network security appliances, was also discovered on the breached network.
“Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades,” the two Dutch agencies warned.
“Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.”
The malware operates stealthily and persistently, hiding itself by intercepting system calls to avoid revealing its presence. It also persists through system reboots and firmware upgrades.
While the attacks weren’t attributed to a specific threat group, MIVD linked this incident with high confidence to a Chinese state-sponsored hacking group and added that this malicious activity is part of a broader pattern of Chinese political espionage targeting the Netherlands and its allies.
FortiGate firewalls under attack
The Chinese hackers deployed the Coathanger malware for cyber espionage purposes on vulnerable FortiGate firewalls they compromised by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability.
These attacks also share many similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware also designed to survive firmware upgrades.
Organizations are urged to promptly apply security patches from vendors for all internet-facing (edge) devices as soon as they become available to prevent similar attack attempts.
“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said Defense Minister Kajsa Ollongren.
“In this way, we increase international resilience against this type of cyber espionage.”