Skip to main content
close search
site logo
Dive Brief

Hackers target Pentagon contract site via compromised routers

Research from Black Lotus Labs says the new activity aligns with recent state-linked campaigns, including Volt Typhoon.

Published Aug. 23, 2023
David Jones's headshot
Reporter
Getty Images / Staff via Getty Images

Dive Brief:

  • A hacking campaign leveraging compromised routers in Europe and Latin America that went dark this spring has resumed operations, and is now targeting U.S. Department of Defense procurement sites and organizations in Taiwan, according to research from Black Lotus Labs, the security research arm of Lumen.
  • The March campaign, dubbed HiatusRAT, leveraged more than 100 edge routers mainly in Europe and Latin America and began new reconnaissance activity this summer designed to collect information on defense contract submissions to the Pentagon as well as manufacturing in Taiwan.
  • Companies doing business with the DoD should monitor their networking devices for the presence of HiatusRAT, according to the researchers. The hackers have shown a preference for targeting smaller firms and those supporting Taiwan, in order to gather intelligence. Pentagon officials could not be immediately reached for comment.

Dive Insight:
 

The activity is consistent with the interests of the People’s Republic of China, the researchers said, citing the 2023 threat assessment from the Office of the Director of National Intelligence.

The recent attacks share some similarities to recent campaigns, including Volt Typhoon. However, the clusters do not directly overlap and are considered to involve separate threat actors. 

The Volt Typhoon campaign leveraged home office routers, firewalls and VPNs to launch attacks against critical infrastructure. That campaign, originally disclosed in May, was designed to disrupt communications between the U.S. and Asia-Pacific region. 

The HiatusRAT campaign disclosed in March involved two malicious binaries, including a remote access trojan and a variant of tcpdump, which enables packet capture on targeted devices, according to Black Lotus Labs. The March campaign abused end-of-life DrayTek Vigor devices. 

The new HiatusRAT campaign appeared to be targeting a DoD server that contained information on current and future military contracts, according to researchers.

“Given that the website was associated with contract proposals, we suspect the objective was to obtain publicly available information about military requirements and searching for organizations involved in the Defense Industrial Base, potentially for subsequent targeting,” said Mark Dehus, director of threat intelligence at Lumen Black Lotus Labs. 

More than 90% of the inbound connections stemmed from Taiwan and the leveraged appliances were mainly edge devices made by Ruckus, according to researchers.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell