A recent HiatusRAT campaign has been targeting a US military procurement system for reconnaissance, cybersecurity firm Lumen reports.
Initially observed at the beginning of the year, HiatusRAT has been targeting high-bandwidth routers typically used by medium-sized businesses, allowing attackers to run commands, exfiltrate data, and establish a covert proxy network.
Active since at least June 2022, the threat had been targeting organizations in Europe and Latin America, with at least 100 victims identified by March 2023.
Following initial reporting on HiatusRAT, the threat actor changed tactics and, in attacks observed in June 2023, shifted focus to performing reconnaissance against a US military procurement system and to targeting Taiwan-based organizations.
According to a new Lumen report, the adversary continued the operation unhindered by the public exposure and recompiled their malware binaries for new architectures – including Arm, Intel 80386, and x86-64 – hosting them on newly procured virtual private servers (VPSs).
One of these VPSs was used almost exclusively in attacks targeting Taiwanese entities, including a municipal government organization and various commercial firms, including semiconductor and chemical manufacturers.
Lumen also identified a different VPS node being used to transfer data with a server that the US Department of Defense uses for contract proposals and submissions.
“Given that this website was associated with contract proposals, we suspect the threat actor could gather publicly available information about military requirements, or search for organizations involved in the Defense Industrial Base (DIB),” Lumen notes.
Newly observed malware samples used the same heartbeat and upload server for communication as previous binaries. Starting this month, the threat actor has been hosting the payload on a previously identified VPS.
An analysis of the communication with the malware’s server revealed that more than 91% of the inbound connections came from Taiwan, mainly from Ruckus-manufactured edge devices.
According to Lumen, the observed HiatusRAT activity does not appear to overlap with known threat actors, although the recent shift in targeting aligns with “recent reporting of Chinese-oriented operations against US based entities”.
“We suspect the HiatusRAT cluster serves as another example of tradecraft that could be applied against the US Defense Industrial Base with a sense of impunity. We recommend defense contractors exercise caution and monitor their networking devices for the presence of HiatusRAT,” Lumen notes.
Related: US Military Personnel Receiving Unsolicited, Suspicious Smartwatches
Related: Possible Chinese Malware in US Systems a ‘Ticking Time Bomb’: Report
Related: Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies