Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Network Firewalls, Network Access Control
Dutch Agency Renews Warning of Chinese Fortigate Campaign
Chinese Cyberespionage Campaign Is 'Much Larger Than Previously Known'Chinese hackers breached thousands of vulnerable Fortigate network security appliances in a cyberespionage campaign "much larger than previously known," a Dutch cybersecurity agency warned Tuesday.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
The Dutch National Cyber Security Center said hackers targeted dozens of Western governments, international organizations and defense contractors after exploiting a critical remote code execution flaw in FortiOS/FortiProxy between 2022 and 2023.
The state-sponsored hackers deployed a previously unknown malware strain capable of persisting on networks despite firmware and security upgrades. The actual number of victims remains unknown. Dutch intelligence services estimate the hacking group could still have access to hundreds of vulnerable devices worldwide and may be capable of stealing sensitive data.
The U.S. Cybersecurity and Infrastructure Security Agency included the critical flaw, tracked as CVE-2022-42475, in its Known Exploited Vulnerabilities Catalog. Dutch officials said the hackers likely maintain access to at least some victims due to the stealthy nature of the "Coathanger" remote access Trojan malware used to exploit Fortigate appliances.
The Dutch military intelligence service first reported the malware was found on a Ministry of Defense network, though the hackers were blocked from classified systems due to network segmentation protections. In total, at least 20,000 FortiGate systems were breached in the two months that preceded Fortinet disclosing the vulnerability, according to the intelligence service (see: Chinese Hackers Penetrated Unclassified Dutch Network).
The service issued a report with the Dutch General Intelligence and Security Service earlier this year that details how the Chinese hackers used Coathanger malware to target FortiGate systems.
"Since then, the MIVD has conducted further research and it has emerged that the Chinese cyberespionage campaign appears to be much more extensive than previously known," the service said in a Tuesday update.
The intelligence service urged organizations to apply an "assumed breach" principle that calls for measures to limit the damage and impact of a successful digital attack that has already taken place.