The Dutch Ministry of Defense discovered in 2023 that it was being spied on by China through malware. Damage appears to have been limited, but the organization says Chinese state actors frequently target the Netherlands and its allies.
The malware was named COATHANGER by the two Dutch security services. An infiltration from China was discovered in 2023 in a network with fewer than 50 users. The objective of this network was to enable R&D projects in collaboration with two research institutes. According to Defense, the damage was limited because the network was segmented.
Initial access was obtained through the exploitation of a somewhat old vulnerability: CVE-2022-42475. This is a buffer overflow bug in FortiOS, the operating system for FortiGate firewalls. Manufacturer Fortinet detected this vulnerability in late 2022, after which it shared mitigation steps in early 2023. The attackers were not detected, in part due to obfuscation of their own connection.
“The Chinese state actor broadly seeks vulnerable edge devices and opportunistically gains access, but is likely to introduce COATHANGER as a communication channel for select victims.”
Then, through another host, they downloaded the COATHANGER malware, which is specifically classified as a Remote Access Trojan (RAT). Defense describes this rogue software as “stealthy and persistent,” in part because it survives reboots and firmware updates. Any vulnerability of FortiGate devices could, in principle, allow the installation of COATHANGER.
The attacker then performed reconnaissance on the R&D network and exfiltrated a list of accounts from the Active Directory server. To transmit this information, COATHANGER established periodic contacts with a C2 (Command and Control) server.
Therefore, this activity is not easily eradicated, making it difficult to determine whether FortiGate devices are actually affected. However, the security warning indicates that this malware will by no means be installed everywhere by attackers. After all, this increases the chances of being discovered and they chose to be the target.
Peripheral devices must include firewalls, VPN servers and email servers, as stated by the NCSC. Detecting COATHANGER, in fact, is not easy. System calls that would give away its existence are replaced.
Although not many details are shared about the nature of the attackers, the AIVD and MIVD emphasize that the incident is not isolated. In other words, successful (albeit limited) infiltration of a government network should be seen as part of a broader initiative to penetrate Dutch government agencies and elsewhere.
Outgoing Defense Minister Kajsa Ollongren agrees. “I think we have to assume that this is happening more widely, in the Netherlands but also in other countries. Therefore, it is a real risk that we have to guard against.”
“We are publishing it to warn others”, said the minister. The government has recommended a list of security measures, which can be read both in the security advisory and on the NCSC website. Firstly, a risk analysis of edge devices during major changes is cited, restricting Internet access for these devices and keeping the management interface offline. They also recommend regular analyzes that detect suspicious activity.
Therefore, the next point, installing the latest patches, was not enough in this case to prevent the ongoing infiltration. However, it prevents organizations from further infiltration. In any case, unsupported hardware and software must be replaced as soon as possible.
In any case, constantly patching firewalls is particularly important. Likewise, Fortinet is frequently affected by new threats. For example, FortiSIEM was recently discovered to contain two new critical vulnerabilities, although the exploits are not yet known. The company continually applies patches and is typically quick to respond.
