Chinese state-backed cyberspies gained access to a Dutch military network last year, Dutch intelligence agencies said, calling it part of a “trend” of Chinese political espionage against the Netherlands and its allies.
It is the first time the Netherlands has publicly attributed cyber espionage to China, as national security tensions grow between the two countries.
“It is important to ensure that espionage activities of this nature committed by China become public knowledge since this will help to increase international resilience to this type of cyber espionage,” Dutch Defence Minister Kajsa Ollongren said on February 6.
The agencies, known by their Dutch acronyms MIVD and AIVD, said the hackers had placed malicious software, or malware, that cloaked its own activity inside an armed forces network used by 50 people for unclassified research.
“MIVD & AIVD emphasise that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies,” they said in their report.
Last April, AIVD said in an annual assessment that China posed the greatest threat to the Netherlands’ economic security with espionage attempts targeting high-tech companies and universities.
A prime target is ASML, based in the southern city of Veldhoven – the world’s dominant supplier of lithography machines for making computer chips.
In a separate report, also last April, the MIVD said China was illegally attempting to acquire Dutch space technology.
It was not clear from the February 6 report what information the hackers were trying to obtain. The agencies said the damage was limited because the network was separate from the ministry’s main system.
Last month, Reuters exclusively reported that the US Government had launched an operation to fight a pervasive Chinese hacking operation, dubbed Volt Typhoon, that compromised thousands of internet-connected devices.
It was not clear from the report if the activity revealed by the MIVD and AIVD was connected.
The malware, known as Coathanger, appeared able to conceal its own presence, at least for a time.
The agencies named it after a snippet of code that contained a line from Lamb to the Slaughter, a 1953 short story by British author Roald Dahl.
That line, “She took his coat and hung it up”, describes the moments before a wife murders her unsuspecting husband with a frozen leg of lamb.
Coathanger remains on a device even after an update or reboot, and deletes itself from virus scan results.
The report assessed with “high confidence” that both the hacking and the malware were the work of “a state-sponsored actor” from China.
It said the implant had also been found on the network of a Western international mission as well as a handful of others, adding: “The malware has been developed specifically for FortiGate devices, which are used by organisations as a firewall to protect their systems.”
Fortinet, the maker of the firewall that is used worldwide, did not immediately respond to a request for comment.
The Chinese Embassy in the Netherlands said in a statement on February 7, in response to the report, that Beijing would never allow any Chinese entities or individuals to conduct illegal activities such as cyberattacks or use Chinese facilities for such attacks.
It is the first time the Netherlands has publicly attributed cyber espionage to China.
“China opposes any malicious speculation and groundless accusations, and advocates joint efforts to safeguard cybersecurity through dialogue and cooperation,” a Chinese Embassy spokesperson was quoted as saying in the statement.
The allegations are the latest by a country claiming that China has tried to hack sensitive information, with the Philippines on February 5 saying it had thwarted an attack by Chinese hackers.
The Netherlands-based Embassy spokesperson said: “The Chinese Government has always resolutely opposed and cracked down on all forms of cyberattacks in accordance with the law.”