Thousands of FortiGate VPN systems hit by Chinese hackers

A button with the caption VPN
(Image credit: Shutterstock)

Between 2022 and 2023, Chinese attackers managed to compromise at least 20,000 Fortinet devices, including some that belonged to the government of the Netherlands, reports have revealed.

The news, recently confirmed by the Dutch Military Intelligence and Security Service (MIVD), also said the scope of the campaign was much larger than initially believed, now being thought to affect at least 20,000 compromised endpoints worldwide. 

The goal of the campaign seems to be cyber-espionage, where China illegally keeps tabs on western nations. 

Coathanger RAT

In February 2024, MIVD published a report together with the country’s General Intelligence and Security Service (AIVD), in which they detailed a campaign run by Chinese state-sponsored threat actors, against FortiOS/FortiProxy instances. These devices were vulnerable to a remote code execution flaw tracked as CVE-2022-42475.

At the time, the two organizations believed the Chinese infected some 14,000 devices: “During this so-called 'zero-day' period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry," the MIVD said. 

Among the victims were also devices that were part of the Dutch Ministry of Defense's research and development department, albeit for unclassified projects. 

To compromise the endpoints, the Chinese used a remote access trojan (RAT) called Coathanger. This RAT enabled the attackers to remain persistent on the device even after reboots and firmware updates.

Even though the patch was made available long ago, the MIVD believes Coathanger is still present on many devices, since it’s quite persistent and good at evading antivirus programs. 

China has a number of hacking groups on payroll, including Volt Typhoon who was recently found lurking on the networks of critical US infrastructure firms for years. APT31, on the other hand, was recently blamed for UK voter data theft that happened back in August 2021.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.