Connect with us

Hi, what are you looking for?



US Military Targeted in Recent HiatusRAT Attack

The threat actor behind HiatusRAT was seen performing reconnaissance against a US military procurement system in June 2023.

A recent HiatusRAT campaign has been targeting a US military procurement system for reconnaissance, cybersecurity firm Lumen reports.

Initially observed at the beginning of the year, HiatusRAT has been targeting high-bandwidth routers typically used by medium-sized businesses, allowing attackers to run commands, exfiltrate data, and establish a covert proxy network.

Active since at least June 2022, the threat had been targeting organizations in Europe and Latin America, with at least 100 victims identified by March 2023.

Following initial reporting on HiatusRAT, the threat actor changed tactics and, in attacks observed in June 2023, shifted focus to performing reconnaissance against a US military procurement system and to targeting Taiwan-based organizations.

According to a new Lumen report, the adversary continued the operation unhindered by the public exposure and recompiled their malware binaries for new architectures – including Arm, Intel 80386, and x86-64 – hosting them on newly procured virtual private servers (VPSs).

One of these VPSs was used almost exclusively in attacks targeting Taiwanese entities, including a municipal government organization and various commercial firms, including semiconductor and chemical manufacturers.

Lumen also identified a different VPS node being used to transfer data with a server that the US Department of Defense uses for contract proposals and submissions.

Advertisement. Scroll to continue reading.

“Given that this website was associated with contract proposals, we suspect the threat actor could gather publicly available information about military requirements, or search for organizations involved in the Defense Industrial Base (DIB),” Lumen notes.

Newly observed malware samples used the same heartbeat and upload server for communication as previous binaries. Starting this month, the threat actor has been hosting the payload on a previously identified VPS.

An analysis of the communication with the malware’s server revealed that more than 91% of the inbound connections came from Taiwan, mainly from Ruckus-manufactured edge devices.

According to Lumen, the observed HiatusRAT activity does not appear to overlap with known threat actors, although the recent shift in targeting aligns with “recent reporting of Chinese-oriented operations against US based entities”.

“We suspect the HiatusRAT cluster serves as another example of tradecraft that could be applied against the US Defense Industrial Base with a sense of impunity. We recommend defense contractors exercise caution and monitor their networking devices for the presence of HiatusRAT,” Lumen notes.

Related: US Military Personnel Receiving Unsolicited, Suspicious Smartwatches

Related: Possible Chinese Malware in US Systems a ‘Ticking Time Bomb’: Report

Related: Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...