“It is important to ensure that espionage activities of this nature committed by China become public knowledge since this will help to increase international resilience to this type of cyber espionage,” Dutch Defence Minister Kajsa Ollongren said.

The agencies, known by their Dutch acronyms MIVD and AIVD, said the hackers had placed malicious software, or malware, that cloaked its own activity inside an armed forces network used by 50 people for unclassified research.

01:37

Illegal Chinese police centres in Netherlands ordered to shut immediately

Illegal Chinese police centres in Netherlands ordered to shut immediately

“MIVD & AIVD emphasise that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies,” they said in their report.

In response, China’s embassy in The Hague insisted Beijing “always firmly opposes and cracks down on cyberattacks in all forms in accordance with the law”.

“We will not allow any country or individual using Chinese infrastructure to engage in such illegal activities,” it said in a statement on its website.

“China opposes any malicious speculations and groundless accusations,” it added, describing cybersecurity as a “common challenge of all countries”.

Beijing routinely denies allegations of cyber espionage and says it opposes all forms of cyberattack.

Last April, AIVD said in an annual assessment that China posed the greatest threat to the Netherlands’ economic security with espionage attempts targeting hi-tech companies and universities. A prime target is ASML, based in the southern city of Veldhoven – the world’s dominant supplier of lithography machines for making computer chips.

In a separate report, also last April, the MIVD said China was illegally attempting to acquire Dutch space technology.

Strong China demand for chip tools bolsters revenue at Lam Research and ASML

It was not clear from Tuesday’s report what information the hackers were trying to obtain. The agencies said the damage was limited because the network was separate from the ministry’s main system.

Last month, Reuters reported that the US government had launched an operation to fight a pervasive Chinese hacking operation, dubbed “Volt Typhoon”, that compromised thousands of internet-connected devices. It was not clear from the report if the activity revealed by the MIVD and AIVD was connected.

The malware, known as Coathanger, appeared able to conceal its own presence, at least for a time. The agencies named it after a snippet of code that contained a line from “Lamb to the Slaughter”, a short story by British author Roald Dahl.

That line, “She took his coat and hung it up”, describes the moments before a wife murders her unsuspecting husband with a frozen leg of lamb.

“Coathanger” remains on a device even after an update or reboot, and deletes itself from virus scan results.

The report assessed with “high confidence” that both the hacking and the malware were the work of “a state-sponsored actor” from China.

It said the implant had also been found on the network of a Western international mission as well as a handful of others, adding: “The malware has been developed specifically for FortiGate devices, which are used by organisations as a firewall to protect their systems.”

Fortinet, the maker of the firewall, which is used worldwide, did not immediately respond to a request for comment.

Reuters, Agence France-Presse and Bloomberg