Chinese state-backed hackers breached the Dutch Ministry of Defense (MOD) in early 2023 by exploiting a zero-day vulnerability in FortiOS, the operating system of FortiGate firewalls [2], according to Dutch intelligence agencies [1] [3] [7].


The intrusion targeted a segmented network used for unclassified research and development projects within the MOD, affecting fewer than 50 users. The hackers gained initial access and remained undetected for a significant period of time. They downloaded a new remote access trojan (RAT) malware called Coathanger [5], specifically designed for FortiGate appliances [1]. This stealthy and persistent RAT hides itself by hooking system calls and can survive reboots and firmware upgrades. The malware made periodic contact with a Command & Control server [2], making it difficult to detect [2]. The hackers also conducted reconnaissance and exfiltrated user account information [3]. The impact of the intrusion was limited as the network was separate from the ministry’s main system [1] [4].

The Dutch Ministry of Defense attributes this intrusion and the creation of the Coathanger malware to a state-sponsored threat actor from China. Chinese hackers are known to perform wide and opportunistic scanning campaigns for vulnerable edge devices [3]. The Dutch Military Intelligence and Security Service (MIVD) discovered the Coathanger malware on isolated computer networks used for unclassified research and development [6]. The malware targeted FortiGate systems from cybersecurity company Fortinet [6]. The MIVD published a bulletin to raise awareness of the threat and urged organizations to report any encounters with the malware to the National Cyber Security Center (NCSC) [6]. The Dutch intelligence services have observed increased attempts by both China and Russia to spy on the Netherlands and infiltrate organizations [6]. The Joint Signal Cyber Unit of the Netherlands has also published indicators of compromise related to the attack [3].

This incident is part of a larger trend of Chinese political espionage against the Netherlands and its allies [1] [5] [7]. The Dutch Defence Minister emphasized the importance of making these espionage activities public to increase international resilience against cyber espionage [1] [7]. The report also mentions previous assessments that identified China as the greatest threat to the Netherlands’ economic security [7], particularly targeting high-tech companies and universities [1] [7]. ASML [1] [4] [7], a major supplier of lithography machines for computer chips [1] [7], is a prime target [1] [7]. The MIVD also reported China’s illegal attempts to acquire Dutch space technology [7]. The extent of the information the hackers were trying to obtain is unclear [7], but the damage was limited due to the network’s separation from the ministry’s main system [1] [7].


The breach of the Dutch Ministry of Defense by Chinese state-backed hackers highlights the ongoing threat of cyber espionage. The use of a zero-day vulnerability and the creation of a specialized malware demonstrate the sophistication of the attack. The limited impact of the intrusion was due to the network’s separation from the ministry’s main system. However, the incident raises concerns about the security of high-tech companies and universities in the Netherlands, as well as the potential acquisition of sensitive technology by foreign actors. It is crucial for organizations to remain vigilant and report any encounters with the Coathanger malware to mitigate future risks.