The Netherlands’s two major intelligence services announced this week that China conducted a 2023 cyber intrusion into that nation’s Defense Ministry. The intrusion centered on exploiting a security flaw in the Fortinet company’s FortiGate security system and then introducing a persistent backdoor channel into a Dutch military unit that was using FortiGate. Fortunately, the military unit in question was limited in size and working on unclassified operations.
Still, the AIVD civilian intelligence service and its MIVD military intelligence service declared that “MIVD & AIVD assess with high confidence that the intrusion at the [Defense Ministry], as well as the development of the malware described in this report, was conducted by a state-sponsored actor from the People’s Republic of China. MIVD & AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies.”
The Dutch government has previously complained about Chinese espionage campaigns. But underlining its growing dissatisfaction in that regard, Defense Minister Kajsa Ollongren declared that “For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China.”
The Netherlands has labeled the malware involved as “COATHANGER.” It observes that “the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system.” The Dutch note that this “COATHANGER” name was chosen because of the language the “malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up.'” This is a line from Roald Dahl’s short story, “Lamb to the Slaughter.” The use of that line shows nuance, perhaps even suggesting that one of COATHANGER’s developers was educated in the United Kingdom.
After all, “Lamb to the Slaughter” is a very British satire entailing a housewife, Mary Maloney, who murders her police officer husband with a “big frozen leg of lamb.” Feigning innocence when her husband’s colleagues come to investigate, she then feeds them the lamb murder weapon for dinner. As they eat, the police officers discuss where the murder weapon might be. One officer posits, “Personally, I think it’s right here on the premises.” Another responds, “Probably right under our very noses. What do you think, Jack?” Then comes the story’s concluding line: “And in the other room, Mary Maloney began to giggle.”
As with Mary Maloney’s lamb leg, China’s COATHANGER weapon is supposed to exist right under the Dutch noses, even as system reboots/updates occur. The problem for Chinese Communist Party Chairman Xi Jinping is that COATHANGER’s operators (likely from the Ministry of State Security or, less likely, the People’s Liberation Army) were too arrogant. The Dutch caught them and called them out. It’s very bad timing for Beijing, which is attempting to persuade the Dutch government to resist U.S. pressure for restrictions on exports of the Dutch ASML firm’s highly advanced semiconductor chips to China. The well-grounded U.S. rationale for those restrictions is that ASML chips are being used by China to strengthen its military capabilities in advance of a likely war with the U.S. and/or Taiwan.
With COATHANGER reminding the Dutch people that China is no reliable friend, Beijing’s “keep letting ASML sell us its best chips” narrative may now carry less weight. Nor does Beijing know how to respond to the Dutch announcement. Indeed, China’s Embassy to the Netherlands released a statement channeling central foreign affairs commission chief Wang Yi at his oft-absurd righteous indignation best.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
The statement claimed that “China always firmly opposes and cracks down on cyber attacks in all forms in accordance with the law. We will not allow any country or individual using Chinese infrastructure to engage in such illegal activities. … China opposes any malicious speculations and groundless accusations. We jointly safeguard cyber security through dialogue and cooperation.” Foreign ministry spokesman Wang Wenbin followed up on this narrative on Wednesday, claiming that “We oppose any groundless smears and accusations against China. … We keep a firm stance against all forms of cyber attacks and resort to lawful methods in tackling them. China does not encourage, support or condone attacks launched by hackers.”
This is laughable stuff.
The top-line fact, one well-understood even by China’s friends, is that China is the most voracious and scaled cyber actor on the planet. In turn, Beijing’s denial of basic reality won’t pass the smell test for all but its most delusional Chinese communist sympathizers in the Netherlands. Beijing would have done far better to stay quiet on this matter. Instead, it has reinforced COATHANGER’s key lesson: that for all its “win-win cooperation” rhetoric, the Chinese Communist Party only and oft-capriciously serves itself.
Disclosure: The author owns a limited number of stocks in ASML.
