Compromised routers allowed online criminals to target Pentagon contract site

Posted on August 29, 2023 at 10:16 AM

Compromised routers allowed online criminals to target Pentagon contract site

A hacking campaign that went dark earlier this year has resumed operations. According to a new warning issued by Black Lotus Labs researchers, the hackers’ goal is to target US Department of Defense procurement sites and organizations based in Taiwan.

Similarities with the March attacks

The hacking campaign initially emerged in the spring of 2023. At the time, the hackers were leveraging compromised routers located in Latin American and European countries. The operation, named HiatusRAT, leveraged over 100 edge routers at the time, seemingly using it to spy on victims of the hack.

The malware used for the hacking was described as extremely complex and it was never seen before. It was targeting business-grade routers, and while the majority of victims were from Europe and Latin America, there have been numerous cases in North America as well, at least since July 2022.

Now, the hackers have returned and have resumed operations, only this time, they are targeting the US Department of Defense procurement sites and organizations based in Taiwan. According to Black Lotus Labs, the security research arm of Lumen, the hackers are starting a new reconnaissance activity meant to collect data on defense contract submissions to the Pentagon.

Firms that are doing any kind of business with the DoD are recommended to closely monitor their networking devices for the potential presence of HiatusRAT, as researchers suggest. Online criminals have shown particular interest in targeting smaller companies and those supporting Taiwan. One potential reason may be smaller companies’ weaker security, making it easier to infiltrate their systems and gather intelligence.

Researchers also said that the activity aligns with the interest of China, noting the 2023 threat assessment issued by the Office of the Director of National Intelligence.

What is known about the attacks?

According to researchers, The attacks share similarities with other recent campaigns. One example is Volt Typhoon. However, the clusters do not overlap directly. As such, they are believed to involve different threat actors.

The Volt Typhon campaign, for example, used home office routers, VPNs, and firewalls. It used them to launch attacks that targeted critical infrastructure. The campaign was unveiled earlier this year, in May, and researchers found that it was created to disrupt communications between the Asia-Pacific region and the United States.

The earlier HiatusRAT campaign, which was revealed in March of this year — that one included two malicious binaries. One was a remote access trojan, while the other was a variant of tcpdump. Reports described it as malware allowing for packet capture on specific devices the hackers targeted. This campaign also abused end-of-life DrayTek Vigor devices.

As for the newest HiatusRAT campaign, it seems to be targeting the DoD server that holds information regarding current and future contracts involving the military. Black Lotus Labs’ director of threat intelligence, Mark Dehus, commented on the situation, stating: “Given that the website was associated with contract proposals, we suspect the objective was to obtain publicly available information about military requirements and searching for organizations involved in the Defense Industrial Base, potentially for subsequent targeting.”

Furthermore, it was reported that over 90% of the inbound connections stemmed from Taiwan and leveraged appliances were Ruckus-made edge devices.

The attacks are not slowing down

Black Lotus Labs went on to describe the activity cluster as “brazen” and one of the most audacious, meaning that the hackers are showing no signs of slowing down. They allegedly started in mid-June, and they kept going until now. The HiatusRAT binaries used were specifically designed for Intel 80386, x86-64, and Arm architectures, in addition to MIPS, MIPS64, and i386.

The infrastructure of HiatusRAT consists of payload and reconnaissance servers, which communicate with targeted networks directly. They are operated via Tier 1 servers, which are, in turn, commandeered by Tier 2 servers. The attackers were also found to be using two different IP addresses to connect to the DoD server.

Summary
Compromised routers allowed online criminals to target Pentagon contract site
Article Name
Compromised routers allowed online criminals to target Pentagon contract site
Description
A hacking campaign that went dark earlier this year has resumed operations. According to a new warning issued by Black Lotus Labs researchers, the hackers’ goal is to target US Department of Defense procurement sites and organizations based in Taiwan.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading