A suspected cyber espionage group linked to China has been identified as responsible for a prolonged attack spanning three years on an undisclosed organization in East Asia. The adversary maintained persistence by exploiting outdated F5 BIG-IP appliances, repurposing them as internal command-and-control servers to avoid detection.
Cybersecurity firm Sygnia, which responded to the breach in late 2023, has dubbed the campaign Velvet Ant, highlighting the group’s sophisticated tactics and their ability to rapidly adapt to evade mitigation efforts. According to Sygnia’s technical report shared with The Hacker News, Velvet Ant systematically gathered sensitive information, particularly focusing on customer and financial data over an extended period.
The attack leveraged PlugX (Korplug), a modular remote access trojan (RAT) commonly utilized by espionage operators with ties to Chinese interests. PlugX exploits DLL side-loading extensively for device infiltration. Sygnia also observed attempts by the threat actor to disable endpoint security software using open-source tools like Impacket for lateral movement within the network.
During their investigation, Sygnia uncovered a modified variant of PlugX that utilized an internal file server for command-and-control, blending malicious traffic with legitimate network activities to avoid detection. This variant was deployed alongside another version configured with an external command-and-control server for exfiltration, specifically targeting endpoints with direct internet access. Legacy servers lacking direct internet connectivity were compromised using the second variant, which exploited vulnerabilities in outdated F5 BIG-IP devices to maintain communication with the external server via a reverse SSH tunnel.
Forensic analysis of the compromised F5 devices revealed the presence of various tools, including PMCD for periodic communication with the threat actor’s command-and-control server, network packet capture utilities, and a SOCKS tunneling tool named EarthWorm, previously associated with other espionage groups like Gelsemium and Lucky Mouse.
The initial method of gaining access remains unclear, whether through spear-phishing or exploiting known vulnerabilities in internet-exposed systems. This incident follows the emergence of several China-linked espionage operations such as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all targeting sensitive information across Asia.