The HiatusRAT malware [1] [2] [3], a notorious computer malware that grants unauthorized access to cybercriminals, has resurfaced with a new wave of targeting activity [1] [2]. This time, the focus is on Taiwanese organizations and a U.S. military procurement system [1] [2]. The malware [2] [3] [4] [5], initially discovered by Black Lotus Labs in March 2023 [5], has been infecting business-grade routers globally [5]. Lumen Black Lotus Labs warns that sophisticated threat actors sponsored by nation states are exploiting routers to run espionage and criminal networks without the device owners’ knowledge [5]. This audacious campaign raises concerns about national security and corporate confidentiality.
Description
The targets of HiatusRAT include commercial firms in Taiwan, a municipal government organization in Taiwan [2], and a U.S. [1] [2] Department of Defense (DoD) server associated with defense contracts [1] [2]. The malware has been specifically tailored to breach the defenses of these organizations [4], allowing the threat actors to steal sensitive information and disrupt operations [4]. The identity and origin of the threat actors remain unknown [1] [2].
HiatusRAT was previously known for targeting business-grade routers to spy on victims in Latin America and Europe [1] [2]. However, the recent attacks involve pre-built HiatusRAT binaries designed for various architectures [1] [2]. The majority of inbound connections to the malware server originate from Taiwan [2], with a preference for Ruckus-manufactured edge devices [2]. The HiatusRAT infrastructure consists of payload and reconnaissance servers [2], operated and managed by Tier 2 servers [2].
The attackers have used two different IP addresses to connect to the DoD server [1] [2], potentially seeking publicly available information on military contracts [1] [2]. This targeting of routers has become a pattern [2], with China-affiliated threat actors exploiting security flaws in appliances for long-term persistence [1] [2]. Despite prior disclosures of their tools and capabilities [2], the threat actor behind HiatusRAT has made minimal changes to their infrastructure [2].
Security analysts are actively working to neutralize the threat and collaborating with affected organizations to strengthen their digital perimeters [4]. It is crucial for affected parties to update their cybersecurity measures and for organizations worldwide to remain vigilant against evolving digital threats [4]. Lumen has implemented countermeasures to protect customers and recommends using secure access solutions and enabling the latest cryptographic protocols [5]. It is advised for consumers with self-managed routers to follow best practices and regularly update their security [5]. Black Lotus Labs has discovered three malware campaigns in the past year that targeted compromised routers [5], and there has been observed activity against various sectors by China-based actors [5].
Conclusion
The HiatusRAT malware poses a significant threat to Taiwanese organizations and the U.S. military procurement system [1] [2]. The targeted attacks [1] [2], tailored to breach the defenses of specific organizations, highlight the need for enhanced cybersecurity measures. The identity and origin of the threat actors remain unknown [1] [2], raising concerns about national security and corporate confidentiality [4]. Security analysts are actively working to neutralize the threat and collaborating with affected organizations to strengthen their digital perimeters [4]. It is crucial for organizations worldwide to remain vigilant against evolving digital threats and update their cybersecurity measures. Mitigations such as using secure access solutions and regularly updating security protocols are recommended. The ongoing activity by China-based actors targeting compromised routers further emphasizes the need for continued vigilance and proactive defense against cyber threats.
References
[1] https://thehackernews.com/2023/08/hiatusrat-malware-resurfaces-taiwan.html
[2] https://www.redpacketsecurity.com/hiatusrat-malware-resurfaces-taiwan-firms-and-u-s-military-under-attack/
[3] https://ai-techpark.com/lumen-rediscovers-malware-now-used-in-campaign-to-research-u-s-military-websites/
[4] https://iipla.org/ip-news/hiatusrat-malware-makes-a-comeback-targeting-taiwan-firms-and-u-s-military/
[5] https://www.investorsobserver.com/news/qm-pr/7875334306719716
