The Dutch Military Intelligence recently broke the news that a group of Chinese state-backed military officers broke into a Dutch Military Network. Reports have pointed out that this breach was down in 2023, and it had 50 users, all of whom are now under government supervision.
Preliminary investigation has pointed out that the breach was made to target the Fortinet Fortigate Devices. It has also majorly exploited a critical security vulnerability in FortiOS SSL-VPN (CVE-2022-42475) with a CVSS score of 9.3. It has been anticipated that this flaw has led to the breach and allowed the perpetrators to craft their plans and execute an arbitrary code.
The only good thing about this breach was the relatively contained network. Hence, it has been reported that there were only 50 users. The network did not reach out to more, which has sized down the damage, which could otherwise be a reason for a national security breach.
Why is it important to know?
After the intrusion was carried out successfully, the attackers designed a backdoor dubbed COAT HANGER. This one was particularly orchestrated from an actor-controlled server. The major aim behind designing this malware was to ensure persistent remote access to the compromised Fortinet appliances. The most striking feature of COATHANGER is that it can easily conceal itself by hooking system calls and surviving reboots and firmware upgrades, as highlighted by the Dutch National Cyber Security Centre (NCSC). It was also reported that this is quite a sophisticated system developed for months.
It is the first public attribution by the Netherlands to China for such a cyber attack. The name COATHANGER is also symbolic and is derived from Roald Dahl’s famous “Lamb to the Slaughter”. Thus, this reference was brought forth by Reuters, who first broke the news to the media.
This news broke amidst the heightened global concerns and complaints against cyber attack groups that the Chinese government is running. It was recently noted that the US army had unearthed a botnet with a consensus of Cisco and Netgear routers. It is anticipated that this was used by the Chinese threat actors, namely Volt Typhoon.
The most important news is that this is not the only independent malicious news reported this year. Last year, Mandiant, a Google-owned venture, discovered a cyber-linked espionage group called UNC3886. It was reported that this group was exploiting the vulnerabilities of the Fortinet applications. To carry out the arbitrary commands and potentially cause harm with catastrophic implications, they were making use of THINCRUST and CASTLETAP. The aim was to get hold of as much sensitive data as possible.
What are the next steps?
This exploitation has pointed to the need for organizations to take active steps and fix the patches in the security system, which could lead to potential exploitation. It is important to have a robust security system that takes care of all the potential loopholes. This will allow more stability and security to the data. Failure will lead to network risks. Consequently, malicious activities like espionage, data breaches, and loss of operational and confidential data.
It is anticipated that the Dutch espionage is currently focusing on improving the security system. Moreover, they are also working on enhancing the threat notifying capabilities. A wide range of security assessments are also being conducted to understand if any potential loopholes in the system can lead to a second attack.
Conclusion
Dutch military network breach is a reminder that cybersecurity is becoming a matter of concern with every passing day. Its evolving nature makes it hard for anyone to recognize it. Currently, collaboration between public and private sectors to bring about robust security methods is the only way to deal with such a cyber catastrophe. Without having access to a secured data system, it can be challenging for any nation to maintain data secrecy.
