Chinese hackers breached Dutch Ministry of Defense

Chinese state-sponsored hackers have breached the Dutch Ministry of Defense (MOD) last year and deployed a new remote access trojan (RAT) malware to serve as a backdoor.

“The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks,” the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) noted.

A new RAT

During an investigation of a intrusion in the MOD’s network last year, MIVD and AIVD uncovered a previously unknown malware that they named Coathanger.

“The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’,” MIVD and AIVD explained in the security advisory.

Coathanger is a remote access trojan (RAT) that was specifically built for Fortinet’s FortiGate appliances. It’s an eminently persistent second-stage malware: it can survive reboots by injecting a backup of itself in the process responsible for rebooting the system, as well as firmware upgrades (meaning: it can also infect fully patched FortiGate devices, if the compromise happened before they received the patch).

“Furthermore, Coathanger is stealthy: it is hard to detect using default FortiGate CLI commands, because it hides itself by hooking most system calls that could reveal its presence,” they noted.

In this particular incident, hackers gained initial access to FortiGate devices by exploiting the critical FortiOS pre-auth RCE vulnerability (CVE-2022-42475), downloaded Coathanger, carried out reconnaissance of the network and managed to steal a list of user accounts from the Active Directory server.

Advice for defenders

“Although this incident started with abuse of CVE-2022-42475, the Coathanger malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices,” they noted.

MIVD and AIVD stated “with high confidence” that the MOD intrusion and the creation of the malware can be attributed to a People’s Republic of China state-sponsored threat actor.

“This incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies,” they added.

Also, this incident is in line with the wider trend of state-sponsored hackers leveraging vulnerabilities in internet-facing edge devices.

MIVD and AIVD have provided mitigation and protections advice methods for organizations that use FortiGate devices, and have urged all organizations with internet-facing edge devices to:

• Implement security updates speedily
• Disable unnecessary features
• Restric access to them by disabling unnecessary services, ports and access to the management interface from the internet
• Monitor event logs for abnormal activity.

UPDATE (February 8, 2024, 09:20 a.m. ET):

Fortinet has published an analysis of exploitation of resolved N-Day vulnerabilities in its products and has shared some IoCs related to the attacks during which the Coathanger RAT was deployed. They said that “the techniques [used] bear similar hallmarks of previously observed activities by APT15.”

Other analyzed cases are believed to be the work of the Volt Typhoon threat actors.