Dutch military network hacked via FortiGate; Volt Typhoon botnet in US systems for 5 years

Sicherheit (Pexels, allgemeine Nutzung)[German]An espionage operation by the Chinese government in a computer network of the Dutch military has probably been uncovered. The military network was hacked via a vulnerability in FortiGate. This is also relevant for other Fortinet customers. And it has since been revealed that the Volt Typhoon botnet, which was allegedly operated by Chinese state-affiliated hackers and recently shut down by the FBI, had probably been in existence for five years. The US security agency CISA published further details on Feb. 7, 2024.


Dutch military network hacked via FortiGate

A computer network of the Dutch armed forces was the target of suspected state hackers from China, as can be seen from the following tweet. However, according to the Dutch Military Intelligence and Security Service (MIVD), it is a computer network that was used for unclassified research and development (R&D).

FortiGate used to hack Dutch military network

According to this article from The Hackers News, the attack took place in 2023, with the attackers exploiting a known critical vulnerability in FortiOS SSL VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Why this is relevant for all Fortinet customers

German blog reader Bolko had already pointed out the facts in the discussion area on February 6, 2024 (thanks for that). He wrote that China is spying on the Netherlands with a new "stealthy" remote access trojan (RAT) malware called "COATHANGER" and also quotes the Dutch military intelligence service.

The successful exploitation of the vulnerability in the above case paved the way for the deployment of a backdoor called COATHANGER from an actor-controlled server, allowing persistent remote access to the compromised devices. I had a few posts on the CVE-2022-42475 vulnerability in the blog, including FortiGuard Labs reports: Critical vulnerability CVE-2022-42475 in FortiOS is exploited.


China generally uses this type of malware to spy on computer networks and attacks the systems on which FortiGate from Fortinet is installed. The FortiGate software enables remote working of computer users in the networks. Fortinet offers this software worldwide. On February 6, 2024, a report was published by the Dutch "National Center for Cybersecurity" with the following statements:

  • the malware operates outside the range of vision of conventional detection measures
  • the malware not only gains access to the computer network, but also sets itself up pertinently

The laster point mentioned above is relevant, as the malware survives patching and keeps access open to the attackers. A report on the COATHANGER malware with many details is available as a PDF. In this advisory, the risk is stated as "high". The malware can actively influence virus scanners and, if detected, delete the scan result from the scanner's logs. According to this Reuters article, the malware has also been found in some other systems, not only in the Netherlands. On Github there is the COATHANGER FortiGate IOC Checker to check systems (thanks to Bolko for the link).

CISA: Volt Typhoon botnet active for 5 years

The US government announced in early February 2024 that the Volt Typhoon espionage network had been shut down by remote commands. This network, attributed to China, infiltrates routers and aims to be able to shut down critical infrastructure in the event of an incident. The Volt Typhoon botnet has infected and hijacked hundreds of routers, according to US authorities. The botnet was then used to covertly attack critical infrastructure networks of the US and its allies. The botnet activities discovered so far, which are attributed to China, are "likely just the tip of the iceberg", they said. I took this up in the article Volt Typhoon botnet shut down by US authorities (FBI).

The colleagues at Bleeping Computer now report in this article that the Volt Typhoon botnet has been active for 5 years and refer to this publication by CISA dated February 7, 2024. I was alerted to the issue overnight by an email offering a phone call with the Executive Director of the US National Cybersecurity Alliance. The CISA document is interesting in that it contains technical details and instructions on what to do.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *