Chinese FortiGate Espionage Campaign Snares 20,000+ Victims

Written by

A sophisticated Chinese espionage campaign targeting Fortinet edge devices was far more extensive than previously thought, resulting in the compromise of at least 20,000 systems worldwide, according to the Dutch authorities.

The country’s intelligence services first revealed the campaign in February this year. They said Chinese spies exploited a zero-day vulnerability (CVE-2022-42475) in FortiGate appliances to deploy the Coathanger remote access Trojan (RAT) on Dutch defense networks.

However, the Dutch National Cyber Security Centre (NCSC) said in a new post this week that during the two months before Fortinet released a patch for the zero-day bug, the threat actors managed to compromise at least 14,000 targets. These included “dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” it said.

The total number of infections within a few months in 2022 and 2023 is thought to be at least 20,000, with a “significant number” likely to still be impacted due to the difficulty of identifying and removing the RAT malware.

“The state actor installed malware at relevant targets at a later time. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access,” the update read.

“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.”

Read more on Chinese espionage campaign: Chinese Cyber-Espionage Groups Increasingly Targeting Russia

The campaign has echoes of other espionage efforts by the Chinese state targeting cybersecurity appliances in a persistent manner.

Barracuda was forced to tell customers to replace their ESG appliances last year after Beijing-backed group UNC4841 targeted them. Also last year, unpatched SonicWall Secure Mobile Access (SMA) appliances were targeted by UNC4540.

Image credit: JHVEPhoto /

What’s hot on Infosecurity Magazine?