Chinese hackers compromise 20,000 FortiGate systems worldwide.

The Military Intelligence and Security Service of the Netherlands (MIVD) warned today that the impact of a Chinese cyber espionage campaign, revealed earlier this year, is “much larger than previously known.”

According to the MIVD, in a joint report with the General Intelligence and Security Service (AIVD) published in February, Chinese hackers exploited a critical remote code execution vulnerability in FortiOS/FortiProxy (CVE-2022-42475) for several months between 2022 and 2023. This vulnerability allowed attackers to deploy malware on vulnerable FortiGate network security devices.

“During this ‘zero-day’ period, the actor infected only 14,000 devices. Targets included dozens of (Western) governments, international organizations, and a large number of companies in the defense industry,” stated the MIVD.

The malware, known as Coathanger, was also found on a network of the Dutch Ministry of Defense used for non-classified research and development (R&D) projects. However, due to network segmentation, the attackers were blocked and could not move to other systems.

The MIVD discovered that this previously unknown strain of malware could survive system reboots and firmware updates. This malware was deployed by a state-sponsored Chinese hacker group in a political espionage campaign targeting the Netherlands and its allies.

“This gave the state actor permanent access to the systems. Even if a victim installs FortiGate security updates, the state actor continues to maintain this access,” added the MIVD.

Since February, the Dutch military intelligence service has found that the Chinese threat group gained access to at least 20,000 FortiGate systems worldwide during 2022 and 2023. This access was achieved at least two months before Fortinet disclosed the vulnerability CVE-2022-42475.

The MIVD believes that Chinese hackers still have access to many of these systems, as the Coathanger malware is difficult to detect and remove, due to its ability to intercept system calls and survive firmware updates.

This hacking campaign shares many similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) devices with cyber espionage malware designed to withstand firmware updates.

Dutch intelligence services and the National Cybersecurity Center (NCSC) consider it likely that the state actor could expand their access to hundreds of victims worldwide and take further actions, such as data theft.

Scroll to Top