Chinese state-sponsored hackers successfully exploited a zero-day vulnerability in Fortinet’s virtual private network, allowing them unauthorized access to the Dutch defense networks. This breach occurred last year, but the specifics of the incident have not been disclosed by the Dutch Ministry of Defence.
Both the Military Intelligence and Security Service and General Intelligence and Security Service have determined with confidence that the hackers responsible for the breach were from China. The threat actors conducted network surveillance and obtained a list of user accounts from the Active Directory server.
Fortinet issued an advisory in December 2022, warning of the zero-day vulnerability being targeted by an “advanced actor” focused on governmental or government-related targets. The Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) have concluded that the state-sponsored entity behind the attack was from the People’s Republic of China.
The initial stage of the attack involved Chinese hackers scanning for devices with known vulnerabilities. Once they identified the vulnerable devices, they exploited the zero-day vulnerability to deploy COATHANGER malware, which allowed them to maintain persistence within the compromised network. This malware establishes a persistent connection that can survive reboots and firmware upgrades.
After gaining access, the attackers monitored the R&D network and stole a list of user accounts from the Active Directory server. Defense Minister Kajsa Ollongren acknowledged the breach and stated that the MIVD’s decision to release a technical report on the methods of Chinese hackers aims to increase international resilience against this type of cyber espionage.
The Netherlands’ Joint Signal Cyber Unit has provided a list of indicators of compromise in their report on the breach. In a separate incident, US officials dismantled a botnet comprising outdated Cisco and NetGear routers. This botnet was being used by Chinese threat actors, including Volt Typhoon, to mask the origins of their malicious traffic.
