The Netherlands’ National Cyber Security Center said the Chinese cyber campaign is far larger than previously thought.
Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, uses a website that monitors global cyberattacks on his computer at their office in Dongguan, Guangdong Province, China, on Aug. 4, 2020. (Nicolas Asfouri/AFP via Getty Images)
A China-linked cyber campaign that infiltrated a Dutch defense network last year is much larger than previously thought and has infiltrated tens of thousands of government and defense systems in Western nations, according to the Dutch government.
The campaign, dubbed COATHANGER, has been linked to communist China and it exploited a zero-day vulnerability in the FortiGate firewall system used by the Netherlands and other nations on many government networks. Zero-day vulnerabilities exist when a software update is first deployed.
Dutch intelligence’s original report, released in February, said that damage from the breach was limited because of “network segmentation,” which separates an affected system from the nation’s wider defense network.
The Netherlands’ National Cyber Security Center (NCSC) announced on June 10, however, that the Chinese cyber campaign is far larger than previously thought.
NCSC said that COATHANGER compromised 20,000 systems across dozens of Western governments, international organizations, and a large number of companies within the defense industry.
Moreover, the statement said, the attackers used the intrusion to install malware on some of those compromised targets to guarantee continued access to those systems. The malware still has not been cut off.
“This gave the state actor permanent access to the systems,” the statement reads. “Even if a victim installs FortiGate security updates, the state actor continues to have this access.”
“It is not known how many victims are actually malware installed. The Dutch intelligence services and the NCSC consider it likely that the state-owned actor could potentially expand its access to hundreds of victims worldwide and has been able to carry out additional actions such as stealing data.”
Likewise, the Dutch statement said that “it is likely that the state actor still has access to systems of a significant number of victims at the moment” and that organizations should take measures to mitigate the possible fallout from that access.
The Netherlands’ original report, jointly published by the Dutch Military Intelligence and Security Service and the General Intelligence and Security Service, didn’t clarify what information the hackers were trying to obtain.
The scope of the latest discovery suggests that the campaign sought to gain persistent access to the defense industries of Western nations. However, it remains unclear whether all the victims were in NATO nations or shared some other connection.
The Dutch statement said that, like many hackers, the COATHANGER campaign targeted “edge devices” like firewalls, VPN servers, routers, and email servers that connect a system to the wider network.
Because zero-day vulnerabilities are hard to anticipate, the statement said, the government encouraged the adoption of an “assume breach” principle.
This means that an initial breach should be assumed and efforts should be taken to limit the damage.
Numerous reports have found that China-backed actors associated with both Chinese intelligence and law enforcement are behind the world’s largest online influence operations.
U.S. intelligence leaders announced earlier in the year that they had dismantled Chinese malware known as Volt Typhoon, which had been planted on hundreds of devices and threatened vital U.S. infrastructure, including water, energy, oil, and air traffic control systems.