TLDR:

The Dutch Ministry of Defense has accused China of cyber spying after the Dutch Military Intelligence and Security Service (MIVD) discovered advanced Chinese malware on Fortigate systems from the company Fortinet. The malware, named Coathanger, was found on an isolated computer network used for unclassified Research and Development at the Dutch military. The MIVD published a bulletin to notify IT workers about the threat and asked organizations that encounter the malware to report it to the National Cyber Security Center (NCSC).

Netherlands accuses China of cyber spying after security service makes malware discovery

The Dutch Ministry of Defense alleged on Tuesday that a Chinese state actor has attempted to carryout a cyber espionage campaign in the Netherlands for an extended period of time. The ministry said that the Dutch Military Intelligence and Security Service (MIVD) discovered advanced Chinese malware that made this possible. The malware is used on Fortigate systems from the company Fortinet, which is officially headquartered in California.

China uses this type of malware to spy on computer networks, the ministry said. The software is meant to allow computer users to work remotely. Fortinet claims they supply their cybersecurity products to over 700,000 customers globally.

The MIVD found the malware, which it named Coathanger, last year at the Dutch military on an isolated computer network. This was used for unclassified Research and Development. Because this system was isolated, it did not lead to damage to the Dutch Defense network.

The MIVD published a bulletin about the discovery in English to notify information technology workers about the threat. “The MIVD is choosing for the first time to publish a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities to China,” said Defense Minister Kajsa Ollongren. “This is how we increase international resilience against this type of cyberespionage.”

The MIVD and the General Intelligence and Security Service (AIVD) shared information about the incident and the characteristics of the malware on the website from the National Cyber Security Center (NCSC). “The MIVD and AIVD discovered a new Remote Access Trojan (RAT) malware during an incident response investigation. This RAT is a targeted persistent malware that operates outside of traditional detection measures and is designed specifically for Fortigate devices,” the NCSC wrote.

The detected malware installed backdoor access by exploiting a known vulnerability in FortiGate devices. The MIVD publication therefore does not attribute the new vulnerability in all FortiGate devices. With the publication, the Dutch agencies want FortiGate system users to be able to determine whether they have become victims. They can also take measures to defend themselves. The MIVD asked organizations that encounter this malware to report it to the NCSC. This can help stop the Chinese espionage campaign, they said.

Late last year, NRC revealed that Chinese hacker group Chimera allegedly breached the systems of Dutch chip manufacturer NXP. The hackers had access to NXP systems for more than two years starting at the end of 2017. Additionally, after a suspected Chinese surveillance balloon was seen over the United States a year ago, the Dutch police said they would use fewer drones made in China. Volkskrant journalist Marije Vlaskamp was also targeted with violence and threats after writing critically about China, she detailed in an article published last April. Both China and Russia have been accused of stepping up attempts to either spy on the Netherlands or to infiltrate the workforces of various organizations. This has worked both ways thought, the Dutch intelligence services said. Both the AIVD and MIVD said degraded relationships with the two countries have been a boon for their recruitment efforts.