A China-linked cyber campaign that infiltrated a Dutch defense network last year is much larger than previously thought and has infiltrated tens of thousands of government and defense systems in Western nations, according to the Dutch government.
The campaign, dubbed COATHANGER, has been linked to communist China; it exploited a zero-day vulnerability in the FortiGate firewall system used by the Netherlands and other nations on many government networks. Zero-day vulnerabilities exist when a software update is first deployed.
The Netherlands’ National Cyber Security Center (NCSC) said on June 10, however, that the Chinese cyber campaign is far larger than previously thought.
NCSC said that COATHANGER compromised 20,000 systems across dozens of Western governments, international organizations, and a large number of companies within the defense industry.
Moreover, the statement said, the attackers used the intrusion to install malware on some of those compromised targets to guarantee continued access to those systems. The malware still hasn’t been cut off.
“This gave the state actor permanent access to the systems,” the statement reads. “Even if a victim installs FortiGate security updates, the state actor continues to have this access.”
“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state-owned actor could potentially expand its access to hundreds of victims worldwide and has been able to carry out additional actions such as stealing data.”
Likewise, the Dutch statement said that “it is likely that the state actor still has access to systems of a significant number of victims at the moment” and that organizations should take measures to mitigate the possible fallout from that access.
The Netherlands’ original report, jointly published by the Dutch Military Intelligence and Security Service and the General Intelligence and Security Service, didn’t clarify what information the hackers were trying to obtain.
The scope of the latest discovery suggests that the campaign sought to gain persistent access to the defense industries of Western nations. However, it remains unclear whether all the victims were in NATO nations or shared some other connection.
The Dutch statement said that, like many hackers, the COATHANGER campaign targeted “edge devices” such as firewalls, VPN servers, routers, and email servers that connect a system to the wider network.
Because zero-day vulnerabilities are hard to anticipate, the statement said, the government encouraged the adoption of an “assume breach” principle. This means that an initial breach should be assumed and efforts should be taken to limit the damage.