The Dutch Military Intelligence and Security Service (MIVD) have revealed that a Chinese hackers from cyber-espionage campaign’s impact is much larger than previously known. Earlier this year, the MIVD, in a joint report with the General Intelligence and Security Service (AIVD), disclosed that Chinese hackers exploited a critical vulnerability (CVE-2022-42475) in FortiOS/FortiProxy systems.
Details of the Breach
Chinese hackers used this vulnerability to deploy malware on vulnerable FortiGate network security appliances between 2022 and 2023. During this period, known as the ‘zero-day’ period, the hackers infected 14,000 devices, targeting dozens of Western governments, international organizations, and companies within the defense industry.
The malware, known as the Coathanger remote access trojan (RAT), was also found on a Dutch Ministry of Defence network used for research and development. However, due to network segmentation, the attackers were prevented from moving to other systems.
Persistent Threat
The MIVD discovered that this previously unknown malware strain, which can survive system reboots and firmware upgrades, was deployed by a Chinese state-sponsored hacking group. This group conducted a political espionage campaign targeting the Netherlands and its allies, giving the hackers permanent access to the systems.
The MIVD noted that even if a victim installs security updates from FortiGate, the state actor can still maintain access. The extent of the breach is significant, with the MIVD estimating that the state actor could expand its access to hundreds of victims worldwide, potentially stealing data.
Widespread Impact
Since February, the Dutch military intelligence service has found that the Chinese threat group accessed at least 20,000 FortiGate systems worldwide in 2022 and 2023. This was discovered at least two months before Fortinet disclosed the CVE-2022-42475 vulnerability.
The Coathanger malware used in these attacks is particularly difficult to detect and remove, as it intercepts system calls to avoid revealing its presence and survives firmware upgrades. This vulnerability was also exploited as a zero-day to target government organizations and related entities, as disclosed by Fortinet in January 2023.
Similar Attacks
These attacks bear similarities to another Chinese hacking campaign that targeted un-patched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware designed to withstand firmware upgrades.
Related Articles:
Chinese Spy bases in US are a cyber threat?