top of page

HiatusRAT Returns: New Wave of Reconnaissance

There is a resurgence in cyber espionage activities by the malicious entity leading the HiatusRAT malware campaign. Taiwan-based organizations and a U.S. Military procurement platform are the prime targets of this aggressive wave of cyber operation. Lumen Black Lotus Labs, a prominent cybersecurity firm, has shed light on the current state of affairs in a recently published report.

The company reveals that the cybercriminal group has not only updated malware specimens for varying systems but has elevated their attack operations by utilizing newly acquired virtual private servers (VPSs). According to the report, the audacious modus operandi indicates no signs of a deceleration in the malicious activities. These cyber felons, however, still operate from the shadows and their identity and place of operation remain undisclosed.

The targeted corporations span from semiconductor firms to chemical manufacturers, encompassing at least one municipal government organization in Taiwan. Notably, a U.S. Department of Defense (DoD) server responsible for maintaining updates and procurement of defense contracts was also under fire.

Back in March 2023, the same cybersecurity company brought the first wave of HiatusRAT intrusions to light. Launching the initial cyber onslaught in July 2022, the malefactors mostly honed in on business-league routers in Latin America and Europe. The malware infected nearly 100 edge networking devices worldwide to create a stealthy data hoovering and command-and-control (C2) infrastructure.

The recent attack series, witnessed from mid-June through August 2023, triggered pre-set HiatusRAT malicious codes, tailor-made for Arm, Intel 80386, and x86-64 architectures, along with MIPS, MIPS64, and i386. A server telemetry assessment revealed that a whopping 91% of connections instigated from Taiwan, hinting at a possible liking for Ruckus-manufactured edge devices by the malware.

The HiatusRAT’s cyber arsenal includes payload and reconnaissance servers interacting directly with the victims' networks. These servers are subject to the control of the Tier 1 servers, which in turn, are supervised by Tier 2 servers.

The infiltration of the DoD server on June 13, tracked from two separate IP addresses, lasted for approximately two hours. It’s estimated that 11 MB of bidirectional data exchanged hands during that period. The final motive remains ambiguous. Yet, it's plausible that the perpetrators aimed at extracting public information concerning ongoing and prospective military contracts for future targeting.

Recent incidents bare a grim pattern of perimeter assets like routers subjugated by cyber-attackers. Chinese cyber adversary groups were found manipulating unpatched security vulnerabilities in Fortinet and SonicWall appliances to lay groundwork for long-run infiltration into their targets.

Surprisingly, despite prior revelations of their weapons and methods, the threat actors took some simplistic steps in alternating existing payload servers and just proceeded with their operations. They showed no intent to alter their C2 substructure, establishing an ominous degree of audaciousness in their cyber operations.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page