Chinese Cyber-Espionage Campaign Breaches 20,000 FortiGate Systems Globally: MIVD

June 11, 2024

The Dutch Military Intelligence and Security Service (MIVD) has raised the alarm over the extensive impact of a Chinese cyber-espionage campaign. The campaign, which was initially disclosed in February in a joint report with the General Intelligence and Security Service (AIVD), saw Chinese hackers exploiting a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) over several months from 2022 to 2023 to infiltrate Fortigate network security appliances.

During this 'zero-day' period, a staggering 14,000 devices were infected. The targets were not random; they included numerous Western governments, international organizations, and a significant number of defense industry companies. The MIVD has also discovered the Coathanger remote access trojan (RAT) malware on a network of the Dutch Ministry of Defence used for research and development (R&D) of unclassified projects. However, due to network segmentation, the intrusion was contained, preventing the hackers from accessing other systems.

According to the MIVD, this previously unidentified malware strain, capable of surviving system reboots and firmware upgrades, was the tool of choice for a Chinese state-sponsored hacking group. The group was engaged in a political espionage campaign targeting the Netherlands and its allies. 'This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to keep this access,' the MIVD stated.

The extent of the damage is still uncertain, as it is unknown how many victims have the malware installed. However, Dutch intelligence services and the National Cyber Security Centre (NCSC) believe that the state actor could potentially extend its reach to hundreds of victims worldwide and carry out additional actions like data theft.

Since February, the MIVD has found that the Chinese threat group gained access to at least 20,000 FortiGate systems worldwide in 2022 and 2023 over a few months, at least two months before Fortinet disclosed the CVE-2022-42475 vulnerability. The MIVD suspects that the Chinese hackers still have access to many victims, as the Coathanger malware is not only hard to detect, intercepting system calls to avoid detection, but also difficult to remove as it survives firmware upgrades.

The CVE-2022-42475 vulnerability was also exploited as a zero-day to target government organizations and related entities, as revealed by Fortinet in January 2023. This attack shares many similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware designed to withstand firmware upgrades.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.