Ongoing state-sponsored cyber espionage campaign via vulnerable edge devices

Earlier this year, the NCSC, in collaboration with the Dutch Military Intelligence and Security Service (MIVD) and the Dutch General Intelligence and Security Service (AIVD), published a report on advanced COATHANGER-malware targeting FortiGate-systems. The MIVD has continued its investigation into the associated Chinese cyber espionage campaign, which has proven to be far more extensive than previously acknowledged. In response, the NCSC is calling for heightened vigilance regarding this campaign and the exploitation of vulnerabilities in edge devices. To support this effort, the NCSC has developed a factsheet detailing information on edge devices, associated challenges, and recommendations.

The broader COATHANGER-campaign

Since publication of the report in February, the MIVD has conducted additional research into the associated Chinese cyber espionage campaign. This research revealed that by exploiting a vulnerability affecting FortiGate devices, the state actor gained access to at least 20.000 FortiGate devices globally within a few months in both 2022 and 2023. Further investigation indicates that the actor was aware of the exploited vulnerability CVE-022-42475 at least two months prior to the disclosure of the vulnerability. During this zero-day period alone, the actor infected as many as 14.000 devices. The targets included dozens of Western governments and diplomatic institutions as well as numerous companies operating in the defence industry. 

The state actor subsequently installed malware at a later stage if a target was considered to be relevant. This afforded the actor permanent access to the system, even if the victim installed the FortiGate updates.

It is unknown how many of these FortiGate devices that were hacked during this initial period were actually subjected to the subsequent operations by the actor. However, The Netherlands intelligence and security services and the NCSC deem it probable that the hacker was potentially able to expand access and carry out additional actions, such as data theft, potentially affecting hundreds of victims worldwide.

Even with the published technical report on the COATHANGER malware, detecting and mitigating infections by the state actor remains challenging. The Netherlands intelligence and security services and the NSC therefore deem it possible that the actor currently has continued access to the systems of a significant number of victims.   

Mitigation risks associated with edge devices

The NCSC and The Netherlands intelligence and security services observe a trend in attacks on edge devices such as firewalls, VPN servers, routers and email servers. Due to the security challenges associated with these devices, they have become prime targets for malicious actors. Positioned at the periphery of the IT network, edge devices often have direct connections to the internet and are frequently not supported by Endpoint Detection and Response (EDR) solutions.

The initial compromise of an IT network is difficult to prevent if an actor is exploiting a zero-day vulnerability. It is important for organisations to, therefore, adopt the ‘assume breach’ principle, which acknowledges that a successful digital attack has already occurred or is imminent. Based on this principle, measures are taken to mitigate damage and impact, including implementing segmentation, detection, incident response plans, and forensic readiness.

The NCSC factsheet ‘Managing edge devices’ elaborates on further challenges and digital threats associated with the use of edge devices and provides concrete actionable insights for organisations to address each challenge effectively.