The Netherlands’ Military Intelligence and Security Service (MIVD) has disclosed a massive cyber espionage campaign orchestrated by a Chinese state-sponsored threat actor, resulting in the compromise of over 20,000 FortiGate firewalls worldwide.

The attacks, which took place between 2022 and 2023, exploited a zero-day vulnerability (CVE-2022-42475) in FortiOS and FortiProxy software.

“During this so-called ‘zero-day’ period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the MIVD said.

“This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to keep this access,” the MIVD added.

Buy Me A Coffee

“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand his access to hundreds of victims worldwide and carry out additional actions such as stealing data.”

The MIVD’s findings also reveal that the campaign was far more extensive than initially believed. The Chinese hackers deployed a sophisticated malware strain known as “Coathanger,” designed to maintain persistent access even after firmware upgrades. This made detection and removal extremely difficult.

Targets of the campaign included dozens of Western governments, international organizations, and numerous companies within the defense industry. The stolen data is believed to have been used for espionage purposes, potentially compromising sensitive information and national security.

Fujitsu Confirms Customer Data Exposed in March Cyberattack

Fortinet, the developer of FortiGate, has since patched the vulnerability. However, the MIVD warns that many victims may still be compromised due to the stealthy nature of the Coathanger malware.