When you think of espionage, you usually think of fancy high-end devices like umbrellas that turn into lasers and X-ray machines, secret meetings in the fog or high-speed boat chases in exotic locations and elaborate disguises. Today, the reality may be far less sexy – but all the more effective.
State-sponsored hackers have a 9-to-5 job, just like the rest of us. They have offices, vacations, and coffee-shop chats. But from their computers, they run campaigns to infiltrate systems around the world and capture sensitive data from governments, companies, critical infrastructure, or even individuals who might have access to that data.
“We know, for example, that China has a cyber army of tens of thousands of people and hacks the world every day in a really structured way with managers, teams and daily stand-ups,” says Dutch cybersecurity expert Willem Zeeman. “Everything is professional.”
In early 2024, the Dutch military and general intelligence agency noticed something unusual on government servers while investigating an incident. They discovered a Remote Access Trojan (RAT) malware designed for FortiGate devices.
The
The latest gossip from the EU tech scene, a story from our wise old founder Boris and questionable AI art. Free in your inbox every week. Sign up now!
What’s interesting is that this “under-the-radar” malware was not designed to gain access to systems, but rather to maintain access by remaining active and persistent on devices even after reboots and updates.
What they eventually uncovered was a Chinese cyber espionage campaign active in national systems for several months in 2023. The resulting report, published in February 2024, was the first time the Dutch government publicly attributed state-sponsored hacking attacks to Beijing.
After further investigation, a new report in June revealed that the campaign, codenamed COATHANGER, was much more widespread than initially thought, reaching over 20,000 units worldwide within a few months in 2022 and 2023.
During this “zero-day period,” 14,000 devices were compromised. Targets included dozens of Western governments, diplomatic institutions, and defense companies.
As governments around the world scramble to detect and stop the infiltration, the question that remains on everyone's minds is: how much and what type of data was actually compromised as hackers snooped on confidential information?
Despite the potentially far-reaching impact, the attack was sparsely reported on. While the media has covered ransomware attacks extensively, cyber espionage is simply not considered a hot topic for a number of reasons. Zeeman fears this lack of awareness and control could have damaging consequences on a global scale.
While ransomware makes headlines, cyber espionage remains in the dark
Companies that fall victim to ransomware not only suffer a direct impact on their bottom line (due to payouts), but also on their reputation as customers and users lose trust in the company.
In some ways, ransomware has helped push cybersecurity up the priority list of companies, Zeeman believes. “You see that people have started investing in cybersecurity because they are afraid of ransomware. But there is also another trend that is much more advanced.”
Today, anyone can become a hacker with a few standard tools downloaded from the Internet, and many use quick and easy tactics. State actors, on the other hand, have a higher level of expertise and can sometimes support their activities with unlimited resources. They create their own programs and even perform anti-forensics to avoid detection.
Unlike ransomware attackers who aim to cause maximum disruption, state actors go to great lengths to keep operations running. “There have been numerous cases where the attacker has taken steps to ensure the system continues to run smoothly,” Zeeman notes. “They have made the necessary changes to prevent detection or system failure, rather than allowing errors or bugs to trigger a response that could reveal their presence.”
That means once they're in, they're in it for the long haul. In the cyber espionage cases he investigated, Zeeman and his team often found that these actors had been penetrating systems for months or even years, allowing them to trade secrets like IP information, intellectual property, and more.
The Netherlands' booming chip industry moves into the spotlight
Dutch intelligence described the COATHANGER campaign as “part of a trend of Chinese political espionage against the Netherlands and its allies.”
In recent years, the Netherlands has proven itself to be a small country among giants. Home to semiconductor machine maker ASML and chipmaker NXP, the country is embroiled in a chip war between the US and China, with the former putting pressure on the country to block the sale of sophisticated machinery as well as the repair of existing machines.
At the beginning of the year, ASML announced that it could remotely shut down its machines stationed in Taiwan in the event of a Chinese invasion. This put the company in a geopolitical stalemate. A David between two Goliaths.
If the semiconductor industry, which is so important to the country, is not protected from cyber espionage, the Netherlands could lose not only its intellectual property but also its political influence.
However, in early 2020, an investigation into suspicious activity revealed that the Chinese hacker group “Chimera” had access to NXP’s systems since late 2017. During the two-year period in which the hackers had access to the servers, they focused on obtaining chip designs and hacking mailboxes containing large amounts of confidential information.
While it is difficult to say how much information was ultimately obtained, the fact remains that continued attacks of this kind could deal a serious blow to both the Netherlands and Europe.
Protection against cyber espionage: regulation could be the key
At the moment, the main focus of cyber espionage actors is on edge devices (as in the COATHANGER campaign) and remote work tools, especially SSL VPN solutions. However, since these actors have unlimited resources, they will continue to come and reveal new vulnerabilities as others are discovered.
But protecting against cyber espionage is expensive. “The only way to detect an attack is to check regularly,” says Zeeman. This means that a risk assessment should be carried out every one to five years, depending on the sensitivity of a company or organization's data.
“The government should play a bigger role in guiding and urging organisations to conduct investigations when their threat landscape is the target of these sophisticated attacks,” Zeeman adds, stating that companies will not do this on their own due to the costs involved. “With the introduction of NIS2, it is already mandatory for companies to implement adequate cybersecurity and the board is held accountable for this, but regular checks are not mandatory.”
This is essential to protect critical infrastructure such as water systems, banks, hospitals, ports, etc., but also key industries. As the Netherlands pours more and more money into subsidies and incentives to keep its chip giants in the country, it should also ensure that these companies protect their intellectual property from prying eyes.
Another problem is that these cases are often kept secret by companies that want to keep the fact that they were hacked a secret. Usually, the companies Zeeman has worked with have a non-disclosure agreement in place, so if a cybersecurity team discovers a case of cyber espionage, they can only share it with external bodies, such as the Dutch Security Service, if the company allows it. This means that information often goes undisclosed – even if they discover that the cyber actors have infiltrated further external systems as a result.
When asked whether it should also be mandatory to share such information with the authorities, Zeeman hesitates. In his view, this could generate too much backlash. But introducing a standardised control system for the companies and sectors that are most important to the country is really crucial.
Why Europe should be concerned
The leaks could be crucial not only for the Netherlands but also for the entire EU market, as the Union plans to launch proceedings against China for subsidising automotive chips. Three of the five largest manufacturers are based in Europe: NXP, Infineon and STMicroelectronics. If the EU wants to remain a leader as a manufacturer of semiconductors for the automotive industry, it must protect the intellectual property of its chip giants.
Aside from its dominance in the chip space, the Netherlands is a crucial physical and digital hub between Europe and the rest of the world.
The Port of Rotterdam is Europe's largest maritime hub, making it crucial for supply chains within and outside the continent. In January 2022, the ransomware-as-a-service hacker group Blackcat attacked 17 ports and oil terminals, including the Port of Rotterdam. The attack resulted in oil tankers being diverted and loading and unloading operations being disrupted in the middle of winter.
Last year, the Serbian-Russian hacktivist group NoName057(16) took down the websites of the port and several others in the Netherlands in response to the government's decision to supply 8 Leopard 1 tanks to Ukraine. Although these attacks were not carried out by state-run groups, both are examples of how the port's vulnerability could be maliciously abused.
In addition, state actors are also targeting the Netherlands' high-quality digital networks and infrastructure. According to a 2022 government threat assessment, Dutch servers have been used in a number of international cyberattacks. In such cases, the Netherlands “serves as a springboard for state-sponsored attacks that could harm third countries, possibly allies.”
COATHANGER was named after a snippet of code in the malware that contained a line from Roald Dahl's short story Lamb to the Slaughter, in which a woman hangs up her husband's coat before murdering him with a frozen leg of lamb. Playing the role of the grieving widow, she evades detection by handing the murder weapon to the police.
The question is: will the Netherlands use its growing strategic importance to exert pressure on the international stage, or will its vulnerability to cyber espionage make it a frozen leg of lamb for its allies and the EU?
Comments are closed.