published July 20, 2024 on and all rights belong to Great Game India - up until the Asia Summit President Trump had last week, everything here is relevant. We are keeping our eye on China for any surprises, good or bad.
Chinese hackers have secretly accessed U.S. and allied systems for years, aiming to disrupt critical infrastructure like power grids and communication networks, according to a Biden administration official.
This ongoing cyber campaign, revealed by the National Security Council, is part of China’s broader strategy to undermine global systems and gain a strategic edge.
Despite recent efforts to remove malicious malware from government systems, the threat remains, as Chinese state-backed hackers continue to target vital infrastructure worldwide, preparing for potential sabotage in case of a major conflict
Director of East Asia and Pacific Cyber Strategy at the National Security Council Israel Soong said the cyber campaign looks to be a part of a larger effort by the Chinese Communist Party (CCP) to plan assaults on key infrastructure reports Andrew Thornebrooke from The Epoch Times [archive].
During a July 16 address at the conservative think tank Hudson Institute, Mr. Soong stated that China planned to utilize its cyber access to “cripple” essential infrastructure, such as power grids and communications platforms, in the event of a conflict.
According to Mr. Soong’s remarks, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed a malevolent cyber effort in February (2024). Hackers with support from the CCP were allegedly
“seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure,”
according to a CISA statement at the time.
Congress was informed in February (2024) by intelligence chiefs that while the malware was eliminated from 600 government systems after the intrusion was discovered in December 2023, the threat remained in other infrastructure systems operated by private enterprises.
Many were unaware, according to Mr. Soong, that comparable initiatives had been directed toward many countries worldwide.
“What is public but is less well known is that the PRC has been doing the same propositioning to many other countries around the globe, including some who are our allies,”
Mr. Soong said, using the acronym for the People’s Republic of China.
For years on end, he claimed, the Chinese government could “persistently and aggressively maintain this cyber access.”
According to Mr. Soong, the CCP made significant investments in cyber capabilities as part of a national policy to “actively and intentionally dominate these areas in a strategic way.”
To better align the goals of the Chinese Communist Party with the US-led world order, he stated,
“Beijing sees cyber and emerging technology as critical to the strategy.”
Although the CCP’s preparations for critical infrastructure sabotage are concerning, Mr. Soong stated that they are unlikely to be used as leverage unless there is a significant confrontation between China and the US.
This is because an attack on US infrastructure that claims American lives would be regarded as an outright attack, he said.
The remarks come after multiple reports earlier this year from Dutch intelligence agencies revealing that over 20,000 systems across numerous Western governments, international organizations, and defense industry companies had been compromised by state-sponsored hackers in China.
According to a Dutch statement, the COATHANGER campaign gave Chinese hackers
“… permanent access” to important systems. Additionally, last month Dutch intelligence verified that “it is likely that the state actor still has access to systems of a significant number of victims at the moment.”
Thus, the hackers are still able to get unauthorized access to important Western government institutions.
As of right now, it’s unclear if COATHANGER was created exclusively for espionage or as a component of the larger CCP initiative to get vital systems in other countries ready for disruption.
Director of National Intelligence Avril Haines stated in a May speech to Congress that the majority of cyberattacks launched by China against the United States target industrial control systems, health care systems, defense, energy, transportation, and supplies of food and water.
The vast cybercrime apparatus of the Chinese state has been difficult for the governments of the United States and its allies to successfully combat, in part due to a far smaller pool of highly employable cybersecurity experts.
The CCP was
“… sparing no expense in its attempt to hack, lie, cheat, and steal its way to the top as a global superpower,” according to testimony given by FBI Director Christopher Wray in April.
He claimed that Chinese state-sponsored hackers
“outnumber FBI cyber personnel at least 50 to 1.”
Last month, GreatGameInternational reported that the Dutch National Cyber Security Center revealed that the COATHANGER cyber campaign, linked to China [archive] breached 20,000 defense and government systems across Western countries.
UPDATE on COATHANGER via Grok ...
"COATHANGER" refers to a sophisticated remote access trojan (RAT) malware deployed by state-sponsored Chinese hackers in a widespread cyber espionage operation.
The malware targets Fortinet's FortiGate firewalls and network security appliances, allowing persistent access even after reboots or security updates.
Dutch intelligence agencies (MIVD and NCSC) first publicly attributed the attacks to China in early 2024, describing it as a stealthy backdoor that hooks system calls to evade detection and deletes traces from virus scans.
The campaign exploited a known vulnerability (CVE-2022-42475) in FortiOS SSL-VPN, a critical flaw enabling remote code execution.
This operation is part of broader Chinese state-backed cyber activities, but COATHANGER stands out for its focus on critical infrastructure and defense sectors.
It's distinct from other Chinese-linked malware like BOLDMOVE or THINCRUST, though it shares tactics like exploiting Fortinet zero-days.
Timeline of Key Events - Date / Event
OCTOBER 2022 / Hackers begin exploiting CVE-2022-42475 as a zero-day against global targets, including European governments and African MSPs.
2023 (EARLY) Breach of Dutch Ministry of Defence (MOD) network: Attackers infect a research network used by 50 personnel, exfiltrate Active Directory user lists, and conduct reconnaissance.
FEBRUARY 2024 / Dutch agencies (MIVD, AIVD, NCSC) publicly disclose the intrusion, naming the malware "COATHANGER" and attributing it to China with "high confidence." They release a technical report to expose tactics and boost international defenses.
APRIL-JUNE 2024 / Investigations reveal the campaign's scale: At least 20,000 FortiGate devices infected worldwide, including governments, international organizations, defense firms, service providers, consultancies, and critical infrastructure. Infections occurred in a two-month window before Fortinet's patch.
NOVEMBER 2025 (ongoing context) / U.S. DOJ unseals indictments against seven APT31 hackers for related 14-year campaigns targeting critics and U.S. entities, highlighting China's use of contractors for espionage. Separate charges against 12 Chinese contractors (March 2025) and an arrest (July 2025) underscore the network's scope.
>> TARGETS AND IMPACT
Primary Focus:
Dutch military and defense networks initially, but expanded globally to include:
- Governments and international bodies
- Defense and manufacturing companies
- Telecom/service providers and consultancies
- Critical infrastructure sectors
Scale:
More than 20,000 compromised FortiGate systems, with potential "permanent access" post-patch due to COATHANGER's persistence.
Goals:
Cyber espionage—stealing user data, mapping networks, and enabling further intrusions. No ransomware or disruption reported; it's purely intelligence-gathering.
Broader Chinese Context:
This fits into campaigns like APT31 (targeting dissidents and elections) and HAFNIUM (Microsoft Exchange hacks). China uses private contractors (e.g., Anxun Information Technology) to obscure state involvement, casting a "wide net" for exploitable data to sell back to the government.
HOW COATHANGER WORKS
Initial Access:
Exploits vulnerabilities like CVE-2022-42475 to inject code via FortiGate's SSL-VPN.
Deployment:
Downloads from actor-controlled servers; acts as a backdoor for remote commands.
Persistence:
Injects backups into reboot processes; survives updates and hides from CLI scans/logs.
Stealth:
Hooks system calls to block detection; self-deletes from scans.
Capabilities:
Reconnaissance, data exfiltration, and lateral movement. Could pair with future FortiGate flaws.
Experts note COATHANGER's design makes it "conceivably" reusable beyond the initial vuln, urging immediate patching and monitoring.
ATTRIBUTION AND RESPONSES
Attribution:
High-confidence link to PRC state actors by Dutch agencies, based on malware code, infrastructure, and tactics. No specific group named (e.g., not UNC3886), but aligns with Ministry of State Security (MSS) operations.
Official Reactions:
- Dutch Defense Minister Kajsa Ollongren: Emphasized public disclosure to deter China and build resilience.
- U.S. DOJ/FBI: Indictments and rewards (up to $2M) for related hackers, targeting the contractor ecosystem.
- Fortinet: Released patches; urged scanning for indicators of compromise.
Recommendations:
Organizations using FortiGate should apply updates, monitor for anomalous traffic to Chinese IPs, and use EDR tools. Global alerts from CISA/NCSC highlight risks to high-value targets.
This campaign exemplifies escalating PRC cyber threats, with no signs of abatement as of November 2025. For technical details, refer to the MIVD's report.