A recently released report by technology research group Black Lotus Labs found that HiatusRAT malware is running a new campaign to accumulate data on Pentagon defense contracts and information from Taiwanese manufacturing entities.

HiatusRAT: what it is, and what it does

According to Black Lotus Labs, HiatusRAT is a form of “Remote Access Trojan” malware (aka RAT) that “infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan… and a variant of tcpdump that enables packet capture on the target device.” This means that the attackers can intercept and retrieve “packets” of data that are being transferred over a network, which can then be “stored… for further analysis.” Black Lotus Labs explained:

“Once a targeted system is infected, HiatusRAT allows the threat actor to remotely interact with the system, and it utilizes prebuilt functionality – some of which is highly unusual – to convert the compromised machine into a covert proxy for the threat actor. The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications.”

HiatusRAT isn’t new to the cyberattack scene; it was first spotted over six months ago when the Black Lotus Labs discovered that “at least 100” people had become victims of the malware attack, most of whom were located in Latin American and European countries. Lotus Labs also discovered approximately 100 bots being utilized in the malware campaign.

HiatusRAT’s latest campaign

As they recently reported, Black Lotus Labs researchers discovered that over the course of the summer, HiatusRAT was up and running once more, and “appeared to be targeting a DoD server that contained information on current and future military contracts.” The majority of the inbound connections came from Taiwan, and primarily found footholds in Ruckus edge devices, such as wireless routers. While it is unclear who is behind the attacks, the information being gathered is “synonymous with the strategic interest of the People’s Republic of China” as outlined in the 2023 Annual Threat Assessment report from the Office of the Director of National Intelligence. Mark Dehus, director of threat intelligence at Lumen Black Lotus Labs stated:

“Given that the website was associated with contract proposals, we suspect the objective was to obtain publicly available information about military requirements and searching for organizations involved in the Defense Industrial Base, potentially for subsequent targeting,”

The researchers advised any organizations that work with the DoD take extra precautions to protect themselves from a potential attack following HiatusRAT’s latest activity:

“We suspect the HiatusRAT cluster serves as another example of tradecraft that could be applied against the U.S. Defense Industrial Base with a sense of impunity. We recommend defense contractors exercise caution and monitor their networking devices for the presence of HiatusRAT. The adversary has shown interest in targeting smaller DIB firms and those supporting Taiwan for intelligence gathering purposes.”