_RyanPictures_Shutterstock.jpg?disable=upscale&width=1200&height=630&fit=crop "China’s Soft-Spoken APT Infiltrates Multiyear Espionage Campaign")
Researchers have recently exposed a covert cyber-espionage campaign carried out over multiple years by the infamous Velvet Ant hacking group from China. The target of this sophisticated operation was a major company located in East Asia, and the extent of the breach has raised serious concerns within the cybersecurity community.
The remarkable aspect of this campaign lies in the ability of the threat actors to maintain a persistent presence within the victim’s network despite repeated attempts to remove them. Sygnia researchers, who finally managed to expel the threat actors, discovered that Velvet Ant had successfully infiltrated and infected numerous legacy and unmonitored systems within the target organization. This allowed them to quickly pivot to alternative footholds whenever one was discovered and eliminated, showcasing their agility and adaptability in evading detection.
Sygnia’s investigation began in late 2023 when they detected the intrusion at a customer location. It was revealed that Velvet Ant had gained unauthorized access to the victim company’s environment three years prior and had managed to remain undetected by employing various persistence and defense evasion techniques. Despite Sygnia’s initial efforts to eradicate the threat and remove all traces of Velvet Ant from the network, the hackers resurfaced a few days later through malware planted as a contingency plan on legacy systems.
The threat actor had installed the PlugX remote access Trojans on outdated Windows Server 2003 systems, allowing them to move laterally to more modern Windows systems by bypassing EDR protections and deploying malicious tools. This included leveraging the Impacket tool for lateral movement and executing commands on compromised hosts.
During the subsequent defense measures, the Sygnia team re-imaged compromised systems and decommissioned legacy systems to eradicate the threat. However, Velvet Ant reappeared shortly after, using a hidden internal Command and Control (C2) server on a legacy file server to communicate with infected hosts. This dual deployment strategy allowed the threat actors to exfiltrate sensitive data and maintain persistence within the organization.
Sygnia’s investigation also uncovered that the hackers had installed backdoors on neglected F5 Big-IP load balancers, which were intended for a disaster recovery project that was never completed. These vulnerable systems served as a means for the threat actors to access the internal C2 server and execute targeted attacks on specific servers and workstations.
To achieve their objectives, Velvet Ant established multiple “strongholds” in different network locations, ensuring continuity of operations in case one was compromised. They also manipulated the EDR environment by disabling it and deleting logs remotely to avoid detection. The security vendor recommends organizations to mitigate exposure to APT and nation-state actors by decommissioning legacy systems that are often targeted by threat actors for persistence.
In conclusion, the sophisticated and persistent nature of the Velvet Ant cyber-espionage campaign highlights the need for organizations to remain vigilant and proactive in defending against such advanced threats. By implementing robust security measures and regularly updating systems, businesses can better protect themselves from nation-state actors and other malicious entities lurking in the shadows of cyberspace.