The Netherlands’ National Cyber Security Center revealed that a China-linked cyber campaign has compromised tens of thousands of government and defense systems across Western nations, surpassing initial estimates.
A cyber campaign connected to China, which infiltrated a Dutch defense network last year, is far larger than previously understood, according to the Dutch government. This campaign, named COATHANGER, has compromised numerous government and defense systems across Western nations.
The Netherlands’ National Cyber Security Center (NCSC) announced on June 10 that the COATHANGER campaign exploited a zero-day vulnerability in the FortiGate firewall system, which is widely used by government networks in the Netherlands and other countries. Zero-day vulnerabilities exist when a software flaw is unknown to the vendor and is exploited before it can be patched.
According to the NCSC, the COATHANGER campaign has infiltrated 20,000 systems across dozens of Western governments, international organizations, and numerous companies within the defense sector. The attackers installed malware on several compromised targets, ensuring continued access even if security updates were applied.
“This gave the state actor permanent access to the systems,” the NCSC statement read. “Even if a victim installs FortiGate security updates, the state actor continues to have this access.”
The NCSC emphasized that it is uncertain how many victims have malware installed but indicated that the state actor likely retains access to a significant number of systems. This ongoing access poses a substantial risk, potentially enabling further actions such as data theft.
The Dutch intelligence’s original report, released in February, had suggested limited damage due to “network segmentation,” which isolates affected systems from broader defense networks. However, the recent announcement by the NCSC indicates a much broader infiltration.
The original report, published by the Dutch Military Intelligence and Security Service and the General Intelligence and Security Service, did not specify the information targeted by the hackers. However, the latest findings suggest that the campaign aimed to gain persistent access to the defense industries of Western nations.
The NCSC’s statement highlighted that the COATHANGER campaign, like many hacking operations, targeted “edge devices” such as firewalls, VPN servers, routers, and email servers that connect internal systems to wider networks.
Given the difficulty in anticipating zero-day vulnerabilities, the NCSC recommended adopting an “assume breach” principle. This approach involves assuming an initial breach and focusing efforts on limiting potential damage.
Numerous reports have identified China-backed actors as responsible for some of the world’s largest online influence operations. Earlier this year, U.S. intelligence leaders announced the dismantling of Chinese malware known as Volt Typhoon, which had threatened vital U.S. infrastructure, including water, energy, oil, and air traffic control systems.
The revelation of the extensive reach of the COATHANGER campaign underscores the significant threat posed by state-sponsored cyber operations. The Dutch government’s call for immediate measures to mitigate the impact of this campaign highlights the need for increased vigilance and enhanced cybersecurity protocols across affected nations.
13th Jun 2024
Comments