Chinese cyber espionage campaign targets ‘dozens’ of Western governments, Dutch officials say

An ongoing Chinese-linked cyber espionage operation has successfully infiltrated “a significant number of victims” that include Western governments, international organizations and the defense industry, Dutch intelligence and security authorities said Monday. 

Dutch authorities first disclosed in February an operation targeting FortiGate edge devices and noted the discovery of a new remote access trojan dubbed “Coathanger,” designed to maintain access in FortiGate devices. The February report stemmed from an investigation of a breach at  the Dutch Ministry of Defense, and Monday’s report concludes that “the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Dutch authorities said in a statement.

The Chinese-linked operation gained access to at least 20,000 FortiGate systems worldwide within a few months in 2022 and 2023 using a since-patched vulnerability in the FortiGate FortiOS software, Dutch authorities said. The hackers knew about the vulnerability for at least two months prior to Fortinet announcing the vulnerability, infecting roughly 14,000 devices during that time, according to Dutch authorities. 

Targets include “dozens” of Western governments, international organizations and a large number of companies within the defense industry. The Chinese operation installed malware on systems connected to an unknown subset of “relevant” targets, and even if those targets updated FortiGate, the Chinese hackers were able to maintain access to the systems, according to the Dutch investigation. 

Fortinet did not respond to a request for comment Tuesday.

Liu Pengyu, spokesperson for the Chinese Embassy, said in a statement to CyberScoop on Tuesday that the Chinese government opposes “any groundless smears and accusations against China,” and that the country “is a major victim of cyber attacks.”

“We keep a firm stance against all forms of cyber attacks and resort to lawful methods in tackling them. China does not encourage, support or condone attacks launched by hackers,” Pengyu said. “Keeping the cyberspace safe is a global challenge. As is the case with other issues, false accusations or bloc confrontation will only damage the collective response to the threats the world faces on cybersecurity.”

The campaign described by Dutch authorities highlights the continuing abuse of edge devices — including firewalls and routers — as a key part of sophisticated state-aligned hacking operations that have targeted vulnerable small office and home office routers to gain access to critical infrastructure and other sensitive networks, as U.S. officials have warned.

“Edge network devices are a huge problem today,” said Tom Hegel, principal threat researcher with SentinelLabs. Hegel, who tracks Chinese-aligned hacking operations and is familiar with the campaign highlighted by the Dutch government. He said edge device security is “a big problem because so few have security tech to defend them or even monitor them. Yet it’s becoming the most commonly targeted technology.”

While it’s not known how many entities have the malware installed, Dutch intelligence “consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” according to the statement.

“Infections from the actor are difficult to identify and remove,” the authorities wrote. “The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.”

Hegel noted that Coathanger is a tool used for remote access and backdoor capabilities. “High-value victims can then see further malware introduced into the network through this access,” he said.

Hegel declined to comment on specific known targets, but said they “include a variety of public and private organizations highly relevant to China’s global agenda.”

Knowing Chinese hacking operations, he added, it’s likely the hackers “made use of multiple malware families and network infrastructure which still remain unknown to us today, and maintaining long-term access to a broad variety of organizations is particularly important to them.”

The Chinese Embassy in Washington, D.C., did not respond to a request for comment Tuesday. The Cybersecurity and Infrastructure Security Agency did not respond to a request for comment on how many U.S. entities, if any, were targeted as part of this operation.

Updated June 11, 2024: This story has been updated to include comment from the Chinese Embassy in Washington, D.C.