National security breached: chinese hackers infiltrate Dutch MOD
The cyber incursion undermines the integrity of Dutch systems and raises global security issues
Chinese hackers used malware called "Coathanger" to infiltrate Dutch Ministry of Defense systems through Fortinet devices, but the attack was limited.
Recent investigations conducted by the Dutch military and security intelligence services (MIVD and AIVD) have brought to light that a Chinese state-sponsored hacking group breached the system of the Dutch Ministry of Defense (MOD) last year. Hackers have introduced a new remote access trojan (RAT), nicknamed "Coathanger", into Fortinet devices used by the MOD. Reports indicate that the impact of the attack was contained by segmenting the affected network from other MOD networks.
The "Coathanger" malware identified by Dutch 007s
The RAT in question, called Coathanger, was designed to specifically target Fortinet's FortiGate appliances. This malware stands out for its persistent nature, being able to resist both system reboots and firmware updates, injecting itself into system processes. Furthermore, its ability to evade detection using standard FortiGate CLI commands makes it particularly insidious. Attackers exploited a critical unauthenticated remote code execution vulnerability (CVE-2022-42475) in FortiGate devices to gain access and, after installing Coathanger, performed reconnaissance activities and stole data from Active Directory servers.
Attribution of the attack and geopolitical implications
The attack on the MOD and the development of Coathanger were attributed "with high confidence" to a threat actor sponsored by the government of the People's Republic of China. This episode is considered by Dutch authorities not to be an isolated event but rather a component of a larger Chinese political espionage campaign directed against the Netherlands and its allies. The trend of state-sponsored hackers exploiting vulnerabilities in edge devices exposed on the internet is a growing practice.
Tips for defending computer systems
MIVD and AIVD provided recommendations on mitigation and protection methods for organizations using FortiGate devices, advising to promptly implement security updates, disable unnecessary features, limit access to devices by disabling unnecessary services, ports and l management interface from the internet, as well as monitoring event logs for anomalous activity.
Follow us on Telegram for more pills like this02/07/2024 15:08
Marco Verro