China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices

A suspected cyber espionage group linked to China has been identified as responsible for a prolonged attack spanning three years on an undisclosed organization in East Asia. The adversary maintained persistence by exploiting outdated F5 BIG-IP appliances, repurposing them as internal command-and-control servers to avoid detection.

Cybersecurity firm Sygnia, which responded to the breach in late 2023, has dubbed the campaign Velvet Ant, highlighting the group’s sophisticated tactics and their ability to rapidly adapt to evade mitigation efforts. According to Sygnia’s technical report shared with The Hacker News, Velvet Ant systematically gathered sensitive information, particularly focusing on customer and financial data over an extended period.

The attack leveraged PlugX (Korplug), a modular remote access trojan (RAT) commonly utilized by espionage operators with ties to Chinese interests. PlugX exploits DLL side-loading extensively for device infiltration. Sygnia also observed attempts by the threat actor to disable endpoint security software using open-source tools like Impacket for lateral movement within the network.

During their investigation, Sygnia uncovered a modified variant of PlugX that utilized an internal file server for command-and-control, blending malicious traffic with legitimate network activities to avoid detection. This variant was deployed alongside another version configured with an external command-and-control server for exfiltration, specifically targeting endpoints with direct internet access. Legacy servers lacking direct internet connectivity were compromised using the second variant, which exploited vulnerabilities in outdated F5 BIG-IP devices to maintain communication with the external server via a reverse SSH tunnel.

Forensic analysis of the compromised F5 devices revealed the presence of various tools, including PMCD for periodic communication with the threat actor’s command-and-control server, network packet capture utilities, and a SOCKS tunneling tool named EarthWorm, previously associated with other espionage groups like Gelsemium and Lucky Mouse.

The initial method of gaining access remains unclear, whether through spear-phishing or exploiting known vulnerabilities in internet-exposed systems. This incident follows the emergence of several China-linked espionage operations such as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all targeting sensitive information across Asia.

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024