Alleged China-based hackers using ‘Cuttlefish’ malware platform to target Turkey
📌Malware Identification and Activity: The malware, identified as Cuttlefish, has been active since at least July 27, 2023, with the latest campaign running from October 2023 to April 2024. It is designed to infiltrate routers and other networking hardware to steal information quietly.
📌Geographical Focus and Victims: The campaign has predominantly affected Turkey, with 99% of the infections occurring within the country. The remaining victims include global satellite phone providers and potentially a U.S.-based data center.
📌Connection to Chinese Operations: Researchers at Black Lotus Labs suggest a link between Cuttlefish and the Chinese government due to significant overlaps with another malware called HiatusRat, which has been used in operations that align with Chinese interests.
📌Method of Operation: Cuttlefish operates by capturing data from users and devices behind the targeted network’s edge, allowing hackers to monitor all traffic through the compromised devices. It targets enterprise-grade small office/home office (SOHO) routers.
📌Data Theft: The malware has been configured to steal keys for cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket. This enables the attackers to access data from cloud resources, which are typically less protected than traditional network perimeters.
📌Detection Challenges: The nature of the attack, occurring over a trusted internal network, makes it particularly difficult to detect. Many security tools focus on external threats, thereby potentially overlooking such internally originated activities.
📌Broader Implications: It highlights the evolving threat landscape where passive eavesdropping and data hijacking techniques are becoming more sophisticated. The specific targeting of cloud-based authentication material is a growing concern that requires enhanced security measures.
Vkontakte
Twitter
Одноклассники
