Threat actor targeted DOD contracting website

Olemedia/Getty Images

Malware leveraging flaws in edge routers has been spying on military contracting websites, according to research from Lumen's Black Lotus Labs.

Malware leveraging flaws in edge routers has been observed siphoning data from public-facing U.S. military websites, according to a recent blog post from Black Lotus Labs.

The cyber research firm first reported on the exploit, dubbed HiatusRAT, in March. The threat group associated with the effort continued its campaign despite public exposure. 

In June, the malware was observed targeting military systems as well as those associated with organizations based in Taiwan. Researchers characterized these efforts as reconnaissance, but the HiatusRAT exploit can also be highly invasive, allowing threat actors to monitor targeted machines and networks and capture router traffic.

While the contracting systems targeted in this recent HiatusRAT campaign are public facing, researchers at Black Lotus Labs theorize that the threat actor is looking to not only capture unclassified documents on defense acquisition but to obtain information on Defense Industrial Base companies that interact with the system, "potentially for subsequent targeting."

The most recent version of the malware dates back to July 2022, according to Black Lotus Labs, and has been observed in Latin America and Europe, in addition to the activity targeting a U.S. military server and Taiwan-based groups.

Black Lotus researchers note that exploits targeting business-grade routers and networking equipment are difficult to combat, in part, because "there currently is no universal mechanism to clean up these devices." 

The researchers said that the campaign's targets align with the strategic goals of China as articulated in U.S. intelligence community reports, but the blog post stops short of attributing the current campaign to Chinese groups.