Alleged China-based hackers using ‘Cuttlefish’ malware platform to target Turkey

Hackers with alleged connections to China are using a malware platform called “Cuttlefish” to target routers and other networking equipment used by organizations in Turkey. 

Researchers from Lumen Technologies’ Black Lotus Labs said the malware has been active since at least July 27, 2023 and the latest campaign of infections ran from October 2023 to April 2024. 

According to their findings, 99% of the infections occurred within Turkey and the handful of non-Turkish victims were associated with global satellite phone providers and a potential U.S.-based datacenter.

Black Lotus Labs believes the campaign is tied to China because of the significant overlaps between Cuttlefish and HiatusRat, a malware family used in operations that align with the interests of the Chinese government. 

“The Cuttlefish malware offers a zero-click approach to capturing data from users and devices behind the targeted network’s edge. Any data sent across network equipment infiltrated by this malware, is potentially exposed,” the researchers said. 

The malware is being used to specifically target “enterprise-grade small office/home office (SOHO) routers” — equipment that continues to be a popular target for nation-state hackers. 

Black Lotus Labs were not able to figure out how the hackers gained initial access to routers, but once inside, they are able to monitor all traffic through the device. 

The malware can be configured to steal specific types of information, and the researchers observed it stealing keys that would allow access to cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare and BitBucket. In one investigation, they found the malware had gone undetected for nine months. 

“This caught our attention as many of these services would be used to store data otherwise found within the network. Capturing credentials in transit could allow the threat actors to copy data from cloud resources that do not have the same type of logging or controls in place as traditional network perimeters,” they explained. 

“We suspect this type of attack could be particularly hard to detect as it occurs over a trusted internal network, whereas many security tools are focused on connections occurring to and from the internal network and the internet.”

HiatusRat ties

A comparison Cuttlefish and HiatusRat  found a 77% overlap in how they are  written — indicating that the “same developers were behind both malware families.”

Black Lotus Labs has tracked the use of HiatusRat for years, reporting last year that it was being used to target routers in reconnaissance operations against a U.S. military procurement system and organizations in Taiwan. It was previously tied to attacks on hundreds of organizations in Europe and Latin America. 

The researchers struggled to quantify the size of the Cuttlefish campaign but found that the targeting was “almost exclusively limited to Turkey, there was a wide scale compromise of entities who rely on Turkish infrastructure.” 

Of the entities with infections, there was a Turkey-based airline, satellite service providers and more. 

Black Lotus Labs warned that Cuttlefish is the “latest evolution” in passive eavesdropping malware for edge networking equipment. The ability to eavesdrop and hijack data in the way Cuttlefish does “has seldom been observed.”

The specific targeting of cloud-based authentication material is also a concern defenders will have to prepare for, the researchers explained, noting recent campaigns by Russian hackers and Chinese groups. 

“We suspect that trend is likely going to increase until proper controls and logging are widely configured,” they said.