_RyanPictures_Shutterstock.jpg?disable=upscale&width=1200&height=630&fit=crop)
June 17, 2024 at 01:02PM
China’s Velvet Ant cyber-espionage group executed a persistent and adaptable campaign to steal data from a large East Asian company. Despite eradication attempts by security researchers at Sygnia, the threat actor maintained footholds within the victim’s network for years. The group utilized legacy and unmonitored systems, deploying malware and backdoors to evade detection.
The meeting notes indicate a significant cyber-espionage campaign by the Velvet Ant group from China, targeting a large company in East Asia. Despite numerous eradication attempts, the threat actor maintained persistence by infecting numerous legacy and unmonitored systems on the victim’s network. This included the use of PlugX remote access Trojans and Impacket for lateral movement and exploitation of compromised systems.
Sygnia’s investigation revealed that the threat actor had managed to remain undetected within the victim’s environment for approximately three years and demonstrated an ability to swiftly pivot to new footholds upon discovery. Even after security measures to eradicate Velvet Ant and associated artifacts were initiated, the threat actor quickly resurfaced on the victim’s network using previously planted malware on legacy systems.
Furthermore, it was found that Velvet Ant had configured an internal command-and-communication (C2) server on a legacy file server and had installed backdoors and malicious binaries on unmonitored F5 Big-IP load-balancing systems to communicate with compromised hosts. The threat actor also created “strongholds” in different locations on the target organization’s network, aimed at technical reconnaissance at the application and network level.
Sygnia recommends organizations to decommission and replace legacy systems to mitigate exposure to such advanced persistent threat (APT) and nation-state actors, as they often exploit infrequently monitored legacy network devices and systems to persist. Additionally, it is crucial to ensure that every observed abnormal activity can be explained and verified in a reasonable manner, given the potential for threat actors to be creative in their tactics.