HiatusRAT active against Taiwan, US.

Researchers at Lumen’s Black Lotus Labs continue to track “HiatusRAT,” a cyberespionage campaign targeting edge networking devices. 

A target shift toward Taiwan.

The campaign has shifted its targeting from Latin American and European entities, and is now primarily focused on organizations in Taiwan. Lumen states, “The Taiwanese targeting affected a wide range of organizations from semiconductor and chemical manufacturers and at least one municipal government organization.” The threat actor also targeted a server used by the US military: “Given that this website was associated with contract proposals, we suspect the threat actor could gather publicly available information about military requirements, or search for organizations involved in the Defense Industrial Base (DIB).”

The researchers note, “The shift in information gathering and targeting preference exhibited in the latest campaign are synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment.”

No panacea, but some sound practices.

Dave Ratner, CEO of HYAS, commented, “There may be no good universal mechanism to clean up edge and IOT-based devices, and bad actors will continue to find new ways to infect and infiltrate. Nevertheless, focusing on the adversary infrastructure -- the command-and-control (C2) structures that are used -- and identifying and blocking the communication with C2 is an important part of a security-in-depth strategy. Organizations who haven't deployed advanced Protective DNS solutions to do just that will find themselves vulnerable time and again.”

(Added, 4:30 PM ET, August 22nd, 2023.) Howard Goodman, Technical Director, Skybox Security, finds the highly specific targeting shown by HiatusRAT interesting, and worthy of attention. “In the most recent deployment of the HiatusRAT malware, malicious entities have strategically pivoted to target servers under the jurisdiction of the U.S. Department of Defense, a notable divergence from their earlier tactics of assaulting business-tier DrayTek Vigor VPN routers employed by medium-scale enterprises for encrypted remote liaisons. As malware strategies increasingly gravitate towards high-caliber institutional targets, it's imperative for cybersecurity contingents to adapt, avoiding perilous brinkmanship. The anxieties permeating the modern cybersecurity leader's mindset can be alleviated by maturing security posture management paradigms. Organizations must fully comprehend the current threat milieu to optimize this transformation's efficacy, including discerning the potential evolution of malware-driven cyber maleficence. In an era marked by the surge of sophisticated cyber threats, a forward-looking and well-informed strategy is indispensable for preserving invaluable datasets and infrastructures.”