The thought of espionage usually conjures quirky high-end gadgets, like umbrellas that turn into lasers and x-ray glasses, misty morning clandestine meetings, or high-speed boat chases in exotic locations and elaborate disguises. Today, the reality might be much less sexy — but way more effective.
State-sponsored hackers have 9-to-5 jobs, just like the rest of us. They have offices, vacations, and chit chats in the coffee room. But from behind their computers, they're running campaigns to infiltrate systems across the world capturing sensitive data from governments, companies, critical infrastructure, or even individuals who could have access to this data.
“We know that China, for example, has a cyberarmy with tens of thousands of people and they're hacking the world every day in a really structured way with managers, teams, and daily stand-ups,” says Dutch cyber security expert Willem Zeeman. “Everything is professional.”
In early 2024, while conducting an incident response investigation, the Dutch Military and General Intelligence Services noticed something unusual on state servers. What they uncovered was a Remote Access Trojan (RAT) malware developed for FortiGate devices.
The interesting thing is that this ‘under the radar' piece of malware was not aimed at gaining access to systems but at maintaining access by remaining active and persistent on devices even after reboots and updates.
What they eventually uncovered was a Chinese cyber espionage campaign that had been active within national systems for some months during 2023. The resulting report released in February 2024 was the first time the Dutch government has ever publicly attributed state-sponsored hacking to Beijing.
After further investigation, a new report in June revealed that the campaign, codenamed COATHANGER, had been much more widespread than initially thought. Within a few months across 2022 and 2023, it gained access to over 20,000 units worldwide.
During this “zero-day period,” 14,000 devices were compromised. Targets included dozens of Western governments, diplomatic institutions, and companies in the defence industry.
As governments across the globe scramble to discover and plug the infiltration, the question that remains in the back of everyone's minds is: just how much and what kind of data was compromised during the hackers' open access snoop through classified information?
Despite the potential widespread impact, news coverage of the attack has been slim. While the media has reported widely on ransomware attacks, cyber espionage is simply not considered a hot topic for a number of reasons. Zeeman's concern is that this lack of awareness and oversight could result in damaging consequences on a global level.
While ransomware makes the headlines, cyber espionage remains in the shadows
Companies that have been victim to ransomware not only suffer a direct impact on their bottom line (as a result of payouts) but also on their reputation as clients and users lose trust in the organisation.
In a way, ransomware has helped push cybersecurity up on the priority list for companies, Zeeman believes. “What you see is that people started investing in cybersecurity because they're afraid of ransomware. But there's also another trend which is way more advanced.”
Today anyone can be a hacker with a few standard tools you can download off the internet, and many use quick and dirty rudimentary tactics. State actors, on the other hand, have a higher level of expertise and at times have unlimited resources backing their activities. They create their own programs and even conduct anti-forensics, all so they can avoid detection.
In stark contrast to ransomware attackers, who aim to create maximum disruption, state actors go to great lengths to keep operations running. “There have been numerous instances where the attacker took steps to ensure the system kept running smoothly,” Zeeman notes. “They made necessary amendments to prevent detection or system failure, rather than allowing errors or bugs to trigger a response that could expose their presence.”
This means once they're in, they're in for the long haul. In the cyber espionage cases he's investigated, Zeeman and his team would often find that these actors had been embedded in systems for months or even years, allowing them to trade secrets like IP information, intellectual property, etc.
The Netherlands' booming chip industry brings it into the spotlight
Dutch intelligence called the COATHANGER campaign “part of a trend of Chinese political espionage against the Netherlands and its allies.”
In recent years, the Netherlands has found itself a small country amongst giants. As the home of semiconductor machinery manufacturer ASML and chipmaker NXP, it's become embroiled in a chip war between the US and China, with the former applying pressure on it to block sales of advanced machines, as well as repairs to existing machinery.
Earlier this year, ASML announced it would be able to turn off its Taiwan-based machines remotely should China invade, sending the company wading into the middle of a geopolitical standoff. A David between two Goliaths.
If its critical semiconductor industry isn't safeguarded against cyber espionage, the Netherlands could lose not only its intellectual property (IP) but also its political sway.
Yet, in early 2020, an investigation into some suspicious activity revealed that Chinese hacker group “Chimera” had access to NXP's systems since late 2017. The focus over the two-year period that hackers had access to its servers was on obtaining chip designs and hacking mailboxes containing large amounts of sensitive information.
While it's hard to know how much information was ultimately obtained, the fact remains that continuing attacks like this could deal a major blow to both the Netherlands and Europe.
Protecting against cyber espionage: Regulation could be key
Right now the main focus for cyber espionage actors has been on edge devices (as in the COATHANGER campaign) and remote work tools, particularly SSL VPN solutions. But because these actors do have unlimited resources, they will keep coming, exposing new vulnerabilities when others are discovered.
But guarding against cyber espionage is costly. “The only way to know you've been breached is to periodically check for it,” Zeeman says. This means compromise assessments should be undertaken every one to five years depending on the sensitivity of a company or organisation's data.
“The government should play more of a role in guiding and pushing organisations to conduct investigations if their threat landscape entails being a target of these advanced attacks,” Zeeman adds, stating that because of the costs associated with it, companies won't do it by their own accord. “It's already mandatory for companies to have some decent cybersecurity implemented with NIS2 coming, and the board is held accountable for that, but regular checks aren't mandatory.”
This is essential to protect critical infrastructure, like water systems, banking, hospitals, ports, etc. but also key industries. As the Netherlands pours more money into subsidies and incentives to keep its chip giants in the country, it should also ensure these entities are keeping IP properly safeguarded from prying eyes.
Another problem is that these cases are often kept under the radar by companies wishing to keep the fact that they were hacked a secret. Usually the companies Zeeman has worked with have an NDA in place. So, if a cybersecurity team discovers a case of cyber espionage, they can only share it with external entities, like the Dutch Security Services, if the company allows them to do so. This means information often isn't shared — even if they discover the cyber actors have infiltrated more external systems as a result.
When asked if it should also be mandatory to share this kind of information with the authorities, Zeeman hesitates. In his view, this might create too much backlash. But setting a standardised system of checks in place for the companies and industries the country values most is really key.
Why Europe should be worried
Leaks could be critical not just for the Netherlands, but for the wider EU market as the bloc looks to open a case against China over subsidisation of car chips. Europe is home to three of the five largest producers: NXP, Infineon, and STMicroelectronics. If the EU wants to stay in the lead as a producer for legacy automotive semiconductors, it'll need to protect the IP of its chip giants.
Aside from its dominance in the chip field, the Netherlands is a critical physical and digital crossroads between Europe and the rest of the world.
The port of Rotterdam is Europe's largest maritime hub making it critical for supply chains in and out of the continent. In January 2022, Ransomware as a Service hacker group Blackcat hit 17 ports and oil terminals, including the Port of Rotterdam, with a ransomware attack that re-routed oil tankers, disrupting loading and unloading in the middle of winter.
Last year, Serbian/Russian hacktivist group NoName057(16) took down the websites of the port and several others across the Netherlands in response to the government's decision to deliver 8 Leopard 1 tanks to Ukraine. While these attacks weren't carried out by state-run groups, both represent examples of how the vulnerability of the port could be abused maliciously.
What's more, state actors are also looking at the Netherlands for its high-quality digital networks and infrastructure. According to a Threat Assessment carried out by the government in 2022, Dutch servers have been used in a number of international cyber attacks. In such cases, the Netherlands is “serving as a springboard for state-sponsored attacks that could harm third-party countries, possibly including allies.”
COATHANGER was named for a snippet of code in the malware that contained a line from Roald Dahl's short story Lamb to the Slaughter, in which a wife hung up her husband's coat before murdering him with a frozen leg of lamb. Appearing as the grieving widow, she evades detection by serving the murder weapon to the police.
The question is, will the Netherlands use its emerging strategic importance as leverage to assert pressure on the international stage or will its vulnerability to cyber espionage make it a frozen leg of lamb for its allies and the EU?