"US Military Targeted in Recent HiatusRAT Attack"

According to security researchers at Lumen, a recent HiatusRAT campaign has been targeting a US military procurement system for reconnaissance.  Initially observed at the beginning of the year, HiatusRAT has been targeting high-bandwidth routers typically used by medium-sized businesses, allowing attackers to run commands, exfiltrate data, and establish a covert proxy network.  HiatusRAT has been active since at least June 2022, targeting organizations in Europe and Latin America, with at least 100 victims identified by March 2023.  The researchers noted that following initial reporting on HiatusRAT, the threat actor changed tactics and, in attacks observed in June 2023, shifted focus to performing reconnaissance against a US military procurement system and to targeting Taiwan-based organizations.  According to the researchers, the adversary continued the operation unhindered by the public exposure and recompiled their malware binaries for new architectures, including Arm, Intel 80386, and x86-64, hosting them on newly procured virtual private servers (VPSs).  The researchers noted that one of these VPSs was used almost exclusively in attacks targeting Taiwanese entities, including a municipal government organization and various commercial firms, including semiconductor and chemical manufacturers.  The researchers also identified a different VPS node being used to transfer data with a server that the US Department of Defense uses for contract proposals and submissions.  The researchers noted that given that this website was associated with contract proposals, they suspect the threat actor could gather publicly available information about military requirements or search for organizations involved in the Defense Industrial Base (DIB).  

 

SecurityWeek reports: "US Military Targeted in Recent HiatusRAT Attack"

Submitted by Anonymous on