A cyber espionage actor with links to China has been identified as the perpetrator behind a sustained attack against an undisclosed organization in East Asia, an intrusion that has reportedly spanned approximately three years. This threat actor took advantage of legacy F5 BIG-IP appliances within the target’s infrastructure, using them for command-and-control (C&C) operations to evade detection and maintain persistence within the network.
According to a recent report from cybersecurity firm Sygnia, which responded to the breach in late 2023, the activity has been classified under the moniker “Velvet Ant.” Sygnia describes this actor as highly sophisticated, capable of rapidly adapting their tactics to counter efforts aimed at eradicating their presence. The firm highlighted the extended duration of sensitive information collection focused primarily on customer and financial data.
The cyber attack chains involved the deployment of the PlugX remote access trojan (RAT), also known as Korplug. This well-known backdoor has been extensively utilized by espionage operatives associated with Chinese interests and is notorious for leveraging a technique known as Dynamic Link Library (DLL) side loading to infiltrate systems. Notably, Sygnia reported that prior to the installation of PlugX, the threat actor attempted to disable endpoint security measures using various open-source tools like Impacket to facilitate lateral movement across the network.
During the incident response, a modified version of PlugX was discovered, which utilized an internal file server for C&C communications. This provided the malicious activity with a layer of camouflage, allowing it to blend in with legitimate network traffic. This variant operated in tandem with another version configured to an outside C&C server, deployed on endpoints with direct internet access, facilitating the exfiltration of sensitive data. Meanwhile, the second variant remained strictly on legacy servers without a direct C&C configuration, illustrating a dual approach to maintain access.
Further forensic investigations into the compromised F5 devices revealed the presence of a tool called PMCD, designed to poll the C&C server for commands every hour. Additionally, the analysis uncovered network packet capture programs and a tunneling utility named EarthWorm that has been previously linked to other Chinese threat actors. Sygnia noted that while they identified the tools used and the network’s compromised state, they lack visibility into the original access vector that permitted the threat actor’s initial entry.
The emergence of Velvet Ant is part of a broader wave of Chinese-aligned cyber operations, including instances tracked under titles like Unfading Sea Haze and Operation Diplomatic Specter, both of which also target sensitive information within Asian entities. With security vulnerabilities inherent in edge devices such as an F5 BIG-IP, the current incident underscores the risks posed by cyberattackers exploiting such weaknesses to establish long-term footholds within networks.
In terms of MITRE ATT&CK tactics and techniques, initial access may have occurred via exploitation or phishing, followed by persistence maintained through the use of C&C communications over vulnerable infrastructures. Techniques likely involved include lateral movement through tools like Impacket and data exfiltration using the identified versions of PlugX. The complexity of this attack highlights the necessity for businesses to assess their security postures, particularly around legacy systems and exposed edge services that may serve as attack vectors.
