In March 2023, Lumen Black Lotus Labs researchers uncovered a sophisticated campaign called “HiatusRAT” that infected over 100 edge networking devices globally. Threat actors leveraged edge routers, or “living on the edge” access, to passively collect traffic and set up a covert C2 infrastructure.
In June the group started a reconnaissance and targeting activity aimed at a U.S. military procurement system and was spotted targeting Taiwan-based organizations
The choice of the new targets in the latest campaign suggests a strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment.
The threat actor hosted newly compiled malware on different procured virtual private servers (VPSs). One of these virtual private servers was exclusively employed in attacks against entities across Taiwan, including commercial firms and at least one municipal government organization.
Another VPS node was used to target a U.S. military server used for contract proposals and submissions.. Threat actors appeared to be interested in gathering intelligence about military requirements, with a focus on organizations involved in the Defense Industrial Base (DIB).
“Starting in mid-June through August 2023, Black Lotus Labs observed multiple newly compiled versions of the HiatusRAT malware discovered in the wild. In this latest campaign, our investigation also uncovered prebuilt Hiatus binaries that target new architectures such as Arm, Intel 80386, and x86-64 and previously targeted architectures such as MIPS, MIPS64, and i386.” reads the report published by Black Lotus Labs.
In August, the researchers observed threat actors using a new VPS at IP address 107.189.11[.]105. Then they analyzed the connections made to this server to identify potential targets and discovered that over 91% of the inbound connections were from Taiwan, and there appeared to be a preference for Ruckus-manufactured edge devices. The campaign impacted a wide range of organizations in the country from semiconductor and chemical manufacturers and at least one municipal government organization.
“Realizing that this infrastructure was still active, we searched through our global telemetry to search for upstream, or Tier 2, servers that appear to operate and manage tier 1 servers.” continues the report. “We identified one node in the PRC at IP address 101.39.202[.]142 as well as three additional VPSs in the U.S.:
The researchers observed threat actors using two different IP addresses 207.246.80[.]240 and 45.63.70[.]57 to connect to the DoD server on June 13. In two hours, experts observed 11 MB of bi-directional data that has been transferred.
“Establishing access to high value targets by compromising perimeter assets, such as edge network devices, is a tactic the industry has observed against several verticals from PRC-based actors. We suspect the HiatusRAT cluster serves as another example of tradecraft that could be applied against the U.S. Defense Industrial Base with a sense of impunity.” concludes the report. “We recommend defense contractors exercise caution and monitor their networking devices for the presence of HiatusRAT. The adversary has shown interest in targeting smaller DIB firms and those supporting Taiwan for intelligence gathering purposes.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, HiatusRAT malware)