A hacking campaign that fell into oblivion earlier this year has resumed its activities. According to a new warning issued by researchers at Black Lotus Labs, the hackers’ aim is to target US Department of Defense procurement sites and Taiwan-based organizations.
Similarities with the March attacks
The hacking campaign appeared in the spring of 2023. At the time, hackers took advantage of compromised routers located in Latin American and European countries. The operation, dubbed HiatusRAT, relied at the time on more than 100 edge routers, which they appeared to be using to spy on victims of piracy.
The malware used in the hack was described as extremely complex and had never been seen before. It targeted professional-grade routers and, while the majority of victims were from Europe and Latin America, there have also been numerous cases in North America, at least since July 2022.
Now the hackers are back and at it again, but this time they’re targeting US Department of Defense procurement sites and Taiwan-based organizations. According to Black Lotus Labs, Lumen’s security research arm, the hackers are launching a new reconnaissance activity aimed at collecting data on defense contract submissions to the Pentagon.
Companies doing business with the Department of Defense are advised to keep a close eye on their network equipment for the potential presence of HiatusRAT, researchers suggest. Online criminals have shown a particular interest in small businesses and those that support Taiwan. One possible reason is that small businesses have weaker security, making it easier to infiltrate their systems and gather intelligence.
The researchers also indicated that this activity was in line with China’s interests, referring to the threat assessment for 2023 published by the Office of the Director of National Intelligence.
What do we know about these attacks?
According to the researchers, the attacks have similarities with other recent campaigns. Volt Typhoon is one example. However, the groups do not directly overlap. They are therefore thought to involve different actors.
The Volt Typhoon campaign, for example, used routers, VPNs and home office firewalls. It used them to launch attacks targeting critical infrastructures. The campaign was unveiled earlier this year, in May, and researchers discovered that it had been created to disrupt communications between the Asia-Pacific region and the USA.
The HiatusRAT campaign, revealed in March this year, included two malicious binaries. One was a remote access Trojan, while the other was a variant of tcpdump. Reports describe it as malware enabling packet capture on specific devices that the hackers targeted. The campaign also exploited end-of-life DrayTek Vigor devices.
As for the latest HiatusRAT campaign, it appears to target the DoD server that contains information on current and future contracts involving the military. Mark Dehus, Director of Threat Intelligence at Black Lotus Labs, commented, “Given that the website was associated with contract proposals, we suspect that the aim was to obtain publicly available information on military requirements and to seek out organizations involved in the defense industrial base, potentially for further targeting.”
In addition, it was reported that over 90% of incoming connections originated in Taiwan, and that the devices used were state-of-the-art devices manufactured by Ruckus.
Attacks don’t slow down
Black Lotus Labs went on to describe the group of activities as “brazen” and one of the most daring, meaning that the hackers show no signs of slowing down. They reportedly began in mid-June and have continued to this day. The HiatusRAT binaries used were specifically designed for Intel 80386, x86-64 and Arm architectures, as well as for MIPS, MIPS64 and i386 architectures.
The HiatusRAT infrastructure consists of payload and reconnaissance servers, which communicate directly with the targeted networks. They are operated by level 1 servers, which are in turn controlled by level 2 servers. The attackers were also found to be using two different IP addresses to connect to the Ministry of Defense server.