State-backed Chinese hackers have broken into a computer network used by the Dutch military by targeting Fortinet FortiGate devices.
“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “As this system was autonomous, it did not cause any damage to the defense network.” The network had fewer than 50 users.
The intrusion, which occurred in 2023, exploited a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS Score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests prepared.
Successful exploitation of the flaw paved the way for the implementation of a backdoor called COATHANGER by an actor-controlled server designed to grant persistent remote access to compromised appliances.
“The COATHANGER malware is stealthy and persistent,” the Dutch National Center for Cyber Security (NCSC) said. “It hides by latching onto system calls that might reveal its presence. It survives reboots and firmware updates.”
COATHANGER is different from BOLDMOVE, another backdoor linked to a suspected China-based threat actor known for exploiting CVE-2022-42475 as a zero-day in attacks against a European government agency and a managed service provider (MSP) located in Africa as early as October 2022.
This development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the news, said the malware takes its name from a code snippet that contained a line from Lamb to the slaughtera short story by British author Roald Dahl.
It also comes days after US authorities took steps to dismantle a botnet comprising outdated Cisco and NetGear routers used by Chinese threat actors such as Volt Typhoon to hide the origins of malicious traffic.
Last year, Google-owned Mandiant disclosed that a cyber espionage group with Chinese nexus traced as UNC3886 exploited zero-days in Fortinet equipment to deploy THINCRUST and CASTLETAP implants to execute arbitrary commands received from a remote server and exfiltration of sensitive data.