iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The Dutch military suffered an attack from Chinese hackers last year, leading to malware being deployed on a number of devices on its network.
The Military Intelligence and Security Service (MIVD) of the Netherlands revealed the incident yesterday (6 February), saying that China had deployed the malware for espionage purposes.
“China uses this type of malware for espionage on computer networks,” it said.
“The malware is used in systems (FortiGate) of the Fortinet company. Allows computer users to work remotely. Fortinet provides this cyber security worldwide.”
The company added that the damage was minimal due to network segmentation, resulting in only one of its computer networks being compromised.
“The MIVD found the malware on a separate computer network in the armed forces last year. This was used for unclassified research and development (R&D).
“Because this system was self-contained, it did not cause damage to the Defense network.”
The MIVD added that there were fewer than 50 users on the affected network and that organisations connected to the research and development on the network have been notified.
The hackers gained access through a known FortiGate vulnerability (CVE-2022-42475) before deploying a specially designed remote access Trojan (RAT) the MIVD and General Intelligence and Security Service of the Netherlands (AIVD) refer to as COATHANGER.
COATHANGER is designed to specifically work on Fortigate appliances and is able to avoid detection. It is used as a second-stage malware, meaning it downloads the malicious code once injected into a system rather than containing malicious code upon injection.
“Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades,” the two Dutch agencies warned.
“Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.”
The release of a technical report to the public is a rare act for the MIVD, which said they have done so to better notify its international allies.
“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said Defense Minister Kajsa Ollongren.
“In this way, we increase international resilience against this type of cyber espionage.”
The MIVD urges companies that discover this malware or activity on their systems to notify the National Cyber Security Centre (NCSC).
Be the first to hear the latest developments in the cyber industry.
