Skip to content

Coathanger campaign infiltrates over 20,000 FortiGate systems

  • by
  • 3 min read

A Chinese cyber espionage campaign, known as Coathanger, has breached over 20,000 FortiGate systems worldwide, exploiting a previous vulnerability, CVE-2022-42475, to gain unauthorised access to critical networks of Western governments, international organisations, and defence firms.

The Dutch National Cyber Security Center (NCSC), in collaboration with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD), unveiled the campaign in February.

Investigations revealed that this Chinese cyber operation is far more extensive than researchers and security agencies initially thought. The initial report was only the tip of the iceberg. Further research conducted by MIVD has uncovered that this cyber espionage campaign has compromised at least 20,000 FortiGate systems worldwide over the past two years.

“Since its publication in February, MIVD has further investigated the broader Chinese cyber espionage campaign. This has shown that the state actor obtained access to at least 20,000 FortiGate systems worldwide in both 2022 and 2023 within a few months through the vulnerability with the characteristic CVE-2022-42475,” said Dutch authorities.

Exploiting the CVE-2022-42475 vulnerability, the state actor behind the attack managed to infiltrate these systems within mere months. Notably, researchers also found that the attackers knew about this vulnerability a full two months before Fortinet publicly disclosed it, allowing them to infect 14,000 devices during this critical zero-day window.

Illustration: Supimol Kumying | Shutterstock
As of now, the full scale of the Coathanger attack campaign is unknown. | Illustration: Supimol Kumying | Shutterstock

“During this so-called ‘ zero-day ’ period, the actor infected 14,000 devices alone. Targets include dozens of ( Western ) governments, international organizations and many companies within the defence industry,” the MIVD said.

The attackers implanted persistent malware on systems to ensure ongoing access even after applying security patches.

The sophisticated nature of the malware enables it to maintain a foothold in compromised systems, posing a persistent threat. Dutch intelligence agencies and the NCSC suggest that the state actor likely still has access to a significant number of infected systems, with the potential to escalate their activities, including data theft.

The full scope of the impact remains uncertain, but it is plausible that hundreds of victims globally could be affected. The campaign highlights a broader trend of exploiting vulnerabilities in publicly accessible edge devices, such as firewalls, VPN servers, routers, and email servers. These devices, positioned at the network perimeter with direct internet connections, are prime targets for cyber attackers.

Compounding this risk, edge devices often lack support from Endpoint Detection and Response (EDR) solutions, making them more vulnerable to sophisticated attacks.

In the News: Elon Musk drops lawsuit against OpenAI and Sam Altman

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: