February 6, 2024 at 01:55PM
A Chinese cyber-espionage group breached the Dutch Ministry of Defence, deploying malware on compromised devices. Despite backdooring the hacked systems, the breach’s impact was limited due to network segmentation. A remote access trojan named Coathanger was found, designed to infect Fortigate network security appliances. The attack was attributed to a Chinese state-sponsored hacking group. Defense Minister Kajsa Ollongren emphasized the importance of attributing and addressing such cyber espionage.
Key takeaways from the meeting notes:
1. A Chinese cyber-espionage group breached the Dutch Ministry of Defence and deployed the Coathanger malware on compromised devices. The breach was limited in its impact due to network segmentation.
2. The Coathanger malware, a remote access trojan (RAT) designed to infect Fortigate network security appliances, was discovered on the breached network and is persistent, surviving firmware upgrades and system reboots.
3. While the attacks weren’t attributed to a specific threat group, the MIVD linked this incident with high confidence to a Chinese state-sponsored hacking group, suggesting a broader pattern of Chinese political espionage targeting the Netherlands and its allies.
4. The Chinese hackers deployed the Coathanger malware by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability, which was also used in zero-day attacks targeting government organizations.
5. The attacks targeting FortiGate firewalls and SonicWall Secure Mobile Access (SMA) appliances share similarities, and organizations are urged to promptly apply security patches from vendors for all internet-facing devices to prevent similar attack attempts.
6. The Dutch Ministry of Defence has chosen to make public a technical report on the working methods of Chinese hackers, aiming to increase international resilience against cyber espionage activities attributed to China.