- A hacking campaign leveraging compromised routers in Europe and Latin America that went dark this spring has resumed operations, and is now targeting U.S. Department of Defense procurement sites and organizations in Taiwan, according to research from Black Lotus Labs, the security research arm of Lumen.
- The March campaign, dubbed HiatusRAT, leveraged more than 100 edge routers mainly in Europe and Latin America and began new reconnaissance activity this summer designed to collect information on defense contract submissions to the Pentagon as well as manufacturing in Taiwan.
- Companies doing business with the DoD should monitor their networking devices for the presence of HiatusRAT, according to the researchers. The hackers have shown a preference for targeting smaller firms and those supporting Taiwan, in order to gather intelligence. Pentagon officials could not be immediately reached for comment.
The activity is consistent with the interests of the People’s Republic of China, the researchers said, citing the 2023 threat assessment from the Office of the Director of National Intelligence.
The recent attacks share some similarities to recent campaigns, including Volt Typhoon. However, the clusters do not directly overlap and are considered to involve separate threat actors.
The Volt Typhoon campaign leveraged home office routers, firewalls and VPNs to launch attacks against critical infrastructure. That campaign, originally disclosed in May, was designed to disrupt communications between the U.S. and Asia-Pacific region.
The HiatusRAT campaign disclosed in March involved two malicious binaries, including a remote access trojan and a variant of tcpdump, which enables packet capture on targeted devices, according to Black Lotus Labs. The March campaign abused end-of-life DrayTek Vigor devices.
The new HiatusRAT campaign appeared to be targeting a DoD server that contained information on current and future military contracts, according to researchers.
“Given that the website was associated with contract proposals, we suspect the objective was to obtain publicly available information about military requirements and searching for organizations involved in the Defense Industrial Base, potentially for subsequent targeting,” said Mark Dehus, director of threat intelligence at Lumen Black Lotus Labs.
More than 90% of the inbound connections stemmed from Taiwan and the leveraged appliances were mainly edge devices made by Ruckus, according to researchers.