In a surprising development, a new wave of the HiatusRAT malware campaign has taken a strategic turn, targeting a server linked to the U.S. Department of Defense. This marks a departure from the campaign's previous focus on Latin American and European organizations. Initially aimed at compromising DrayTek Vigor VPN routers used by medium-sized businesses, the campaign's scope has expanded, catching security experts off guard.
Lumen's Black Lotus Labs, which closely monitors cyber threats, reported that the campaign's tactics shifted between mid-June and August. Notably, this period saw the U.S. military procurement system being targeted, alongside organizations based in Taiwan.
The malware samples of HiatusRAT were restructured to adapt to various computing architectures, covering a range from Arm and Intel to MIPS and x86-64. These samples found a home on recently acquired virtual private servers (VPSs). Among these servers, one was used for transferring data to a U.S. military server assigned for contract proposals and submissions.
The targeted website's association with contract proposals raises concerns about the attackers' motives. It's suspected that they were after publicly available data about military contracts and information related to the Defense Industrial Base (DIB). This aligns with a broader trend of attacks seeking sensitive strategic information, as highlighted in the 2023 ODNI annual threat assessment.
Lumen's Black Lotus Labs emphasized that this strategic shift indicates a potential connection to Chinese interests. This move towards information collection and refined targeting mirrors the modus operandi of Chinese-backed threat groups like Volt Typhoon and Storm-0558, which have also recently targeted U.S. entities.
The HiatusRAT campaign has even greater implications as it demonstrates a tradecraft that could be leveraged against the U.S. Defense Industrial Base. With this in mind, Lumen strongly advised defense contractors to be vigilant and proactively monitor their networking infrastructure to detect any signs of HiatusRAT. The ever-evolving cyber landscape calls for heightened cybersecurity measures, especially when strategic and sensitive sectors are at risk. Howard Goodman, Technical Director, Skybox Security shared more on the risk of advanced malware campaigns and how organizations can defend themselves:
“As malware strategies increasingly gravitate towards high-caliber institutional targets, it's imperative for cybersecurity contingents to adapt, avoiding perilous brinkmanship. The anxieties permeating the modern cybersecurity leader's mindset can be alleviated by maturing security posture management paradigms. Organizations must fully comprehend the current threat milieu to optimize this transformation's efficacy, including discerning the potential evolution of malware-driven cyber maleficence. In an era marked by the surge of sophisticated cyber threats, a forward-looking and well-informed strategy is indispensable for preserving invaluable datasets and infrastructures.” ###