Last year, the Dutch Ministry of Defense fell victim to a cyber-espionage campaign conducted by a Chinese hacking group, as revealed by the Military Intelligence and Security Service (MIVD) of the Netherlands. The attackers managed to infiltrate the ministry’s systems and deploy malware on compromised devices.
Dutch Ministry of Defense Reduces Impact
Due to segmentation of the Defense Ministry’s network, the hackers failed to pilfer as much information as they wanted. According to reports from MVID and the General Intelligence and Security Service (AVID), they mitigated the impact of the intrusion because the victim network was separate from the broader MOD networks. Additionally, the threat actor gained entry into a network with fewer than 50 users who primarily focus on research and development (R&D) projects that were classified.
Subsequent investigations revealed that the actors used a malware strain; Coathanger, a remote access trojan (RAT), in the attack. The discovery revealed that the COATHANGER implant exhibits persistence, resurfacing after each system reboots by injecting a backup of itself during the reboot process. Moreover, the infection demonstrated resilience against firmware upgrades, posing a threat even to fully patched FortiGate devices.
The Coathanger malware operates surreptitiously and persistently, concealing itself by intercepting system calls to evade detection. It maintains its presence through system reboots and firmware updates.
No one Claimed Responsibility for the Attack
Although no one claimed responsibility for the attack, MIVD expressed a high level of confidence in linking the incident to a Chinese state-sponsored hacking group. Furthermore, it emphasized that this malicious activity aligns with a broader pattern of Chinese political espionage aimed at the Netherlands and its allies.
The Chinese hackers utilized the Coathanger malware for cyber espionage purposes, targeting vulnerable FortiGate firewalls by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability. This was a vulnerability they exploited in a zero-day attack targeting government organizations and related entities, as disclosed by Fortinet in January 2023.
The attacks exhibit notable similarities with another Chinese hacking campaign, which targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware designed to endure firmware upgrades.
Defense Minister Kajsa Ollongren emphasized the importance of publicly attributing such espionage activities to China to enhance international resilience against this form of cyber espionage, as demonstrated by the decision of MIVD to release a technical report detailing the methods employed by Chinese hackers.