Firefox Translations of it says it was known vulnerability:
> The malware found installed a ‘backdoor’ by using a known vulnerability in FortiGate devices. The publication of the MIVD therefore does not describe any new vulnerability in all FortiGate devices.
I could believe factory backdoors in Fortinet products, including bugdoors, but it's even easier to believe commonplace unintended software defects.
Edit: This comment was a response to the HN title "China spied on Dutch Cyber Intelligence through FortiGate backdoors (defensie.nl)". I thought people will tend to interpret "FortiGate backdoor" as meaning an intentional backdoor by the vendor/factory, when that's not what the article seemed to suggest.
> it's even easier to believe commonplace unintended software defects
Note the fact that this was actively exploited by the Chinese. That sort of reduces the chance of this being an accident, especially since they've done this before.
Why would Chinese intelligence (or any intelligence agency) care if the vulnerability is an accident or intentional? I imagine they prefer the former, because it reveals less about their techniques, methods, etc.
Also, a proven intentional security vulnerability in Fortinet products would be bigger news, for multiple reasons, and make a lot of urgent work and disruption for a lot of people.
Occasionally, a proven intentional vulnerability will happen, so we want to be careful not to cry wolf other times.
Commonplace unintended software defects seem to be the overwhelming source of known vulnerabilities. Which I imagine are in everyone's toolkit to exploit.
It's reasonable to be cautious about Fortinet in general, but I don't think the fact that a known vulnerability was exploited suggests that the vulnerability was intentional.
Yes, I heard this concept alleged publicly ~25 years ago. I've only heard the "bugdoor" term within the last few years.
The first time I heard the idea, someone was claiming publicly that a manager/lead at a tech vendor had been approached by a government, and asked to insert a backdoor that would look accidental, and without the larger organization aware. That might've been apocryphal, but the idea was plausible.
The idea is maybe received a bit differently today, when there's a ton more people doing work, by a ton of developers who haven't had correctness and security prioritized. Even some of the key bits of tech infrastructure, by some the largest tech companies, seem to think weekly security updates, for multiple CVEs each, isn't insane. "Uh, you want us to make a security vulnerability, and make it look like it was because we were negligent? If you can wait a week, I can give you a dozen all-natural ones."
As someone not super familiar with security research, this work and the associated report must have cost millions of euro in experienced engineering man-hours to write, right? You can't just put a team of interns on this sort of stuff (of course, not defending is not an option, well, an extremely dangerous one)
If you wrote like 20 similar papers, I think it is not even near that. If you already have the exploit, you can easily and lazily throw this together in a week. I presume.
I'm not entirely sure why driving a tank across a border is materially different to "driving code" across a digital border.
Personally I'm less concerned about the tank. It's obvious and easy to risk assess. I don't get why countries don't have any significant, and honestly out sized, response to hacking and spying.
> I'm not entirely sure why driving a tank across a border is materially different to "driving code" across a digital border.
Cyberattacks are much more analogous to traditional episonage than acts of war. States don't regard episonage as acts of war because it's something engaged in by all sides and which literally happens all the time, unlike tanks rolling across the border.
Politicians of course like to pretend otherwise ... I was reminded of this, shall we say, breath-taking question I saw Rep. Haley Stevens asking recently on cspan :)
> So we shouldn't consider cyberattacks warfare? I mean, what are they doing over there? Do they have a department that is just focused on cyberattacks? 'Coz this is, sort of, in some respects, hard to wrap our heads around, right? I mean, we don't …
They did the same thing to the US with Solarwinds. Which, it's funny, nobody really talks about what that is. It's what they use to spy on the public. Pretty funny stuff really, ironic.
When is Europe going to wake up and realize that China is attacking Europe with all its weights, whether its through Russia's military invasion or through economic attack of dumping of EV and solar that seeks to destroy Europe's car industry?
If China supported Russia the war would have been over by now. There is a reason Russia has to buy weapons from North Korea and Iran when China would have been able to provide much more.
China has actually supported Saudi Arabia's war on Yemen's Houthis more than they have supported Russia's war on Ukraine. When Saudi Arabia's F-15s started getting their wings blown off by by Iranian SAMs fired by Houthis it was Chinese drones that started hitting Houthi positions in Yemen.
For some reason there is little awareness about the close Saudi-China alliance here in the West.
China absolutely has supported Russia, now it hasn’t given weapons (as far as we know). But it has provided ample material support in terms of western chips, heavy vehicles and parts. Without which Russia wouldn’t have lasted as long as it has. Not to mention the diplomatic cover.
"China's newly appointed defense chief and Shoigu discussed boosting military cooperation and coordination as the Russia-Ukraine war drags on. Tensions surrounding the Ukraine crisis have tested the resilience of the China-Russia partnership, with Beijing supporting the Kremlin's plans economically rather than openly amid international pressure."
> The malware found installed a ‘backdoor’ by using a known vulnerability in FortiGate devices. The publication of the MIVD therefore does not describe any new vulnerability in all FortiGate devices.
I could believe factory backdoors in Fortinet products, including bugdoors, but it's even easier to believe commonplace unintended software defects.
Edit: This comment was a response to the HN title "China spied on Dutch Cyber Intelligence through FortiGate backdoors (defensie.nl)". I thought people will tend to interpret "FortiGate backdoor" as meaning an intentional backdoor by the vendor/factory, when that's not what the article seemed to suggest.