The Dutch Ministry of Defense discovered in 2023 that it was being spied on by China via malware. The damage appears to have been limited in scope, but Dutch intelligence services say Chinese state actors are frequently targeting the Netherlands and its allies.
The malware has been christened COATHANGER by the authorities. An infiltration by China was discovered in 2023 at a network consisting of less than 50 users. The purpose of this network was to enable R&D projects in cooperation with two research institutes. According to the Dutch government, the damage was limited because the network was segmented appropriately.
Initial access was gained by exploiting a now somewhat old vulnerability: CVE-2022-42475. it allows for a potential buffer overflow bug in FortiOS, the operating system of FortiGate firewalls. Manufacturer Fortinet detected this vulnerability in late 2022, then shared mitigation steps in early 2023. The attackers remained undetected for a significant period of time, in part due to the obfuscation of their own connection.
COATHANGER at work
The attackers went on to download the actual COATHANGER malware, which is specifically classified as a Remote Access Trojan (RAT), via another host. Defense describes this rogue software as “stealthy and persistent,” in part because it survives reboots and firmware upgrades. In principle, any vulnerability in FortiGate devices could allow for the installation of COATHANGER.
The attackers then performed reconnaissance on the R&D network and exfiltrated a list of accounts from the Active Directory server. To pass on this information, COATHANGER made periodic contact with a C2 (Command & Control) server. This activity is not easily removed or detected, making it difficult to determine whether FortiGate devices are actually affected. However, the security advisory does indicate that the attackers probably didn’t install the malware en masse. After all, widespread usage increases the chance of discovery, and so the Chinese state actors chose to be targeted. The Chinese state actors scan for vulnerable edge devices widely and obtains access opportunistically, but according to the Dutch authorities, they’re likely to introduce COATHANGER as a communication channel for select victims.
Edge devices should include firewalls, VPN servers and email servers, as the NCSC points out.
Detecting COATHANGER, by the way, does not appear to be easy. System calls that would give away its existence get replaced to evade detection.
Although not many details are shared about the nature of the attackers, the AIVD and MIVD emphasize that the incident is not isolated. In other words, the successful (though limited) infiltration into a government network should be seen as part of a broader initiative to penetrate Dutch government agencies and allies to the Netherlands, including the US and most of Europe. Outgoing Defense Minister Kajsa Ollongren confirms that this is the case. “I think we have to assume that this is happening more broadly, in the Netherlands but also in other countries. So it is a real risk that we have to guard against.”
Advice for others
“We are releasing this information to warn others,” the minister stated. The government has recommended a list of security measures, which can be reviewed in the security advisory in the English language and on the NCSC website (Dutch source). A risk analysis on edge devices during major changes, restricting Internet access for these devices and keeping the management interface offline are cited first as recommendations. Further advice relates to regular analysis that detects suspicious activity.
The next point, which is a recommendation to install the latest patches, did not prove sufficient in this case to stop the ongoing infiltration. It does, however, prevent organizations from getting new ones. Either way, unsupported hardware and software should be replaced as soon as possible.
Regardless, constant patching of firewalls is particularly important. Likewise, Fortinet is often hit by new threats. For example, FortiSIEM was recently found to contain two new critical vulnerabilities, although exploits are not yet known. The company does continually patch such problems and is usually quick to respond.