The Dutch Military Intelligence and Security Service (MIVD) on Monday said that the ongoing Chinese cyber espionage campaign had affected at least 20,000 Fortinetโs FortiGate devices, which appears to be โmuch more extensive than previously known.โ
The attacks by the Chinese state-sponsored hacking group were first disclosed in February 2024 in a joint report published by the MIVD and the General Intelligence and Security Service (AIVD).
Further, the report revealed that the Chinese hackers gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 by exploiting a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) to deploy malware on vulnerable Fortigate network security appliances.
Apparently, the threat actors were already aware of this vulnerability two months prior to Fortinet disclosing the vulnerability.
“During this so-called ‘zero-day’ period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the MIVDย said.
The MIVD found that the state-sponsored hackers deployed a previously unknown malware strain dubbedย COATHANGERย that could survive reboots and firmware upgrades.
This malware was first found on the Dutch Ministry of Defence network used in the research and development (R&D) of unclassified projects, though the hackers were blocked from classified systems due to network segmentation.
“This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to keep this access,” the MIVD added.
It is currently unknown how many victims have actually installed the malware. The Dutch intelligence services and the NCSC warn that the hacking group could still have access to the system of hundreds of vulnerable victims worldwide, as the COATHANGER malware is difficult to identify and remove and may be capable of stealing sensitive information.
However, China has denied any involvement in the February report, saying the country โalways firmly opposes and cracks down on cyber attacks in all forms in accordance with the law,โ said the February statement.
โWe will not allow any country or individual using Chinese infrastructure to engage in such illegal activities.โ
Meanwhile, the intelligence service has advised organizations to apply an “assumed breach” principle, which states that a successful digital attack has already taken place or will soon take place and calls for measures to limit this damage and impact.