Researchers from Lumen’s Black Lotus Labs believe an “audacious” HiatusRAT malware attack against a U.S. Department of Defense server may be aligned with other recent espionage-focused campaigns linked to China.
The researchers observed unknown threat actors using the malware to carry out reconnaissance against the U.S. military server — used for submitting and retrieving defense contract proposals — and also to target a range of Taiwan-based organizations.
In an Aug. 17 blog post, the researchers said the June attacks marked a “shift in information gathering and target preference” by the same actors they previously observed carrying out a HiatusRAT campaign in March.
The March campaign was largely focused on Latin American and European organizations. It targeted business-grade small office/home office (SOHO) routers, deploying the novel remote access trojan (RAT) Black Lotus Labs dubbed "HiatusRAT."
The researchers said the group’s subsequent pivot to focus on a different type of target and location could indicate a “strategic shift which would align with a slew of recent reporting of Chinese-oriented operations against U.S.-based entities, such as those from Storm-0558 and Volt Typhoon.”
Black Lotus Labs believed the group’s revised strategy was “synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI (Office of the Director of National Intelligence) threat assessment” (PDF).
“Despite our prior reporting, this group continued with their operations nearly unabated; in a truly brazen move, they recompiled malware samples for different architectures that contained the previously identified C2 (command and control) servers,” the researchers said.
Over a period of approximately two hours on June 13, the researchers observed more than 11MBs of sampled bi-directional data being transferred to and from the U.S. DOD server.
“We suspect this actor was searching for publicly available resources related to current and future military contracts,” the researchers said.
“Given that this website was associated with contract proposals, we suspect the objective was to obtain publicly available information about military requirements and searching for organizations involved in the Defense Industrial Base (DIB), potentially for subsequent targeting,” they said.
“While we acknowledge that all threat actors have different tolerances when it comes to public disclosures, this activity cluster ranks as one of the most audacious Black Lotus Labs has observed.”
Even though its tools and capabilities had been reported on, the threat group took only “the most minor of steps to swap out existing payload servers and carried on with their operations, without even attempting to re-configure their C2 infrastructure,” the researchers said.
Black Lotus Labs warned that the HiatusRAT campaign appeared to be a fresh example of the type of attacks that could be carried out against the DIB “with a sense of impunity.”
The threat group appeared to be interested in smaller DIB firms and those supporting Taiwan for intelligence gathering purposes, the researchers said. “We recommend defense contractors exercise caution and monitor their networking devices for the presence of HiatusRAT.”