Chinese state-backed cyber spies gained access to a Dutch military network last year, intelligence agencies said on Tuesday, adding some of its leading companies such as chipmaking equipment maker ASML have also been targeted.
It is the first time the Netherlands has publicly attributed cyber espionage to China, as national security tensions grow between the two countries after The Hague signed up to Washington’s tech export curbs last year.
“It is important to ensure that espionage activities of this nature committed by China become public knowledge since this will help to increase international resilience to this type of cyber espionage,” Dutch Defence Minister Kajsa Ollongren said.
The agencies, known by their Dutch acronyms MIVD and AIVD, said the hackers had placed malicious software, or malware, that cloaked its own activity inside an armed forces network used by 50 people for unclassified research.
“MIVD & AIVD emphasise that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies,” they said in their report.
China’s embassy to the Netherlands did not immediately respond to a request for comment. Beijing routinely denies allegations of cyber espionage and says it opposes all forms of cyberattack.
Last April, AIVD said in an annual assessment that China posed the greatest threat to the Netherlands’ economic security with espionage attempts targeting high-tech companies and universities.
A prime target is ASML, based in the southern city of Veldhoven – the world’s dominant supplier of lithography machines for making computer chips.
In a separate report, also last April, the MIVD said China was illegally attempting to acquire Dutch space technology.
It was not clear from Tuesday’s report what information the hackers were trying to obtain. The agencies said the damage was limited because the network was separate from the ministry’s main system.
Last month, Reuters exclusively reported that the U.S. government had launched an operation to fight a pervasive Chinese hacking operation, dubbed “Volt Typhoon”, that compromised thousands of internet-connected devices.
It was not clear from the report if the activity revealed by the MIVD and AIVD was connected.
The malware, known as Coathanger, appeared able to conceal its own presence, at least for a time.
The agencies named it after a snippet of code that contained a line from ‘Lamb to the Slaughter’, a short story by British author Roald Dahl.
That line, “She took his coat and hung it up”, describes the moments before a wife murders her unsuspecting husband with a frozen leg of lamb.
“Coathanger” remains on a device even after an update or reboot, and deletes itself from virus scan results.
The report assessed with “high confidence” that both the hacking and the malware were the work of “a state-sponsored actor” from China.
It said the implant had also been found on the network of a Western international mission as well as a handful of others, adding: “The malware has been developed specifically for FortiGate devices, which are used by organisations as a firewall to protect their systems.”
Fortinet, the maker of the firewall, which is used worldwide, did not immediately respond to a request for comment.
- Reuters with additional editing by Sean O’Meara