Massive Chinese cyber espionage campaign impacts at least 20,000 FortiGate systems

The ongoing Chinese state-sponsored cyberespionage campaign, which is targeting FortiGate systems with advanced Coathanger malware, is “much more extensive than previously known,” the Dutch National Cyber Security Center (NCSC) has warned.

In 2022 and 2023, the state-sponsored threat actor gained access to at least 20,000 FortiGate systems worldwide within a few months. Furthermore, 14,000 devices were infected during the so-called ‘zero-day’ period before Fortinet announced the exploited vulnerability (CVE-2022-42475).

This means that hackers were well aware of this vulnerability while targeting dozens of Western governments, international organizations, and a large number of defense industry companies.

In February, a report by the Dutch Military Intelligence and Security Service and other authorities revealed the use of the Coathanger malware in the campaign. However, NCSC is now calling for extra attention to the situation as malicious actors are abusing edge devices, such as routers, firewalls, email servers, gateways, and other entrance points of computer networks.

These devices are popular targets for malicious actors, as they are located at the edge of the computer network, connected to the internet, and often are not covered by Endpoint Detection and Response (EDR) solutions.

The malware gives permanent access to compromised systems. Even if a victim later installs security updates or reboots, the state actor will continue to have access, as infections with Coathanger are difficult to identify and remove. The Dutch authorities assume that many devices remain compromised.

“It’s not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” the report reads.

NCSC also shared an advisory for dealing with threats when using edge devices, however, it is in Dutch only.

“It is important that organizations adopt the ‘assume breach’ principle. This principle states that a successful digital attack has already taken place or will soon take place,” NCSC said.

“Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans, and forensic readiness.”