cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Dutch military attributes RAT attack on its network to Chinese hackers

The Dutch military suffered an attack from Chinese hackers last year, leading to malware being deployed on a number of devices on its network.

user icon Daniel Croft
Wed, 07 Feb 2024
Dutch military attributes RAT attack on its network to Chinese hackers
expand image

The Military Intelligence and Security Service (MIVD) of the Netherlands revealed the incident yesterday (6 February), saying that China had deployed the malware for espionage purposes.

“China uses this type of malware for espionage on computer networks,” it said.

“The malware is used in systems (FortiGate) of the Fortinet company. Allows computer users to work remotely. Fortinet provides this cyber security worldwide.”


The company added that the damage was minimal due to network segmentation, resulting in only one of its computer networks being compromised.

“The MIVD found the malware on a separate computer network in the armed forces last year. This was used for unclassified research and development (R&D).

“Because this system was self-contained, it did not cause damage to the Defense network.”

The MIVD added that there were fewer than 50 users on the affected network and that organisations connected to the research and development on the network have been notified.

The hackers gained access through a known FortiGate vulnerability (CVE-2022-42475) before deploying a specially designed remote access Trojan (RAT) the MIVD and General Intelligence and Security Service of the Netherlands (AIVD) refer to as COATHANGER.

COATHANGER is designed to specifically work on Fortigate appliances and is able to avoid detection. It is used as a second-stage malware, meaning it downloads the malicious code once injected into a system rather than containing malicious code upon injection.

“Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades,” the two Dutch agencies warned.

“Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.”

The release of a technical report to the public is a rare act for the MIVD, which said they have done so to better notify its international allies.

“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said Defense Minister Kajsa Ollongren.

“In this way, we increase international resilience against this type of cyber espionage.”

The MIVD urges companies that discover this malware or activity on their systems to notify the National Cyber Security Centre (NCSC).

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.