Prolonged Cyber Espionage by Chinese-Linked Actors Exploiting Legacy Network Systems

Threat activity by a persistent and resilient state-sponsored actor, tracked as 'Velvet Ant' and linked to Chinese cyber operations, was unveiled through a forensic investigation conducted and reported by Sygnia. The intrusion, which occurred in late 2023, impacted "a large organization." Sygnia's findings highlight the actor's use of malware tools like ShadowPad and PlugX, commonly associated with Chinese-sponsored groups. The report cautions, however, that while these indicators suggest a Chinese nexus, definitive attribution remains challenging due to the potential for false-flag operations. Velvet Ant's campaign aimed to maintain prolonged access for espionage purposes. During this intrusion, the threat actors demonstrated a deep understanding of the targeted network, managing to remain dormant and maintain access for approximately three years. Their prolonged presence in the network was evident in their ability to persist on unsecured devices, particularly an exposed F5 BIG-IP appliance that also served as part of an internal command and control (C2) setup to blend their communications. "Despite Sygnia’s diligent efforts to remediate compromised systems and enhance visibility into hosts and network devices, the threat actor resurfaced time and again through the use of dormant persistence mechanisms in unmonitored systems," reports the Sygnia Team.

Velvet Ant's intrusion began with the deployment of PlugX, which involved dropping an executable and DLL files for search order hijacking. Sygnia notes that techniques such as "hijack execution flow, by leveraging different methods such as DLL search order hijacking, Phantom DLL loading, and DLL side loading," were prominent throughout the intrusion. Once installed, the executable spawned several instances of the "svchost" process with code injected. One process chain with svchost led to the creation of a new inbound firewall rule named "Network Discovery (SSDP-In)" to allow TCP traffic on local port 13742; while not utilized for C2, it was necessary for maintaining unauthorized network access. Their activities also included efforts to evade security defenses by disabling endpoint protection, and attempts to move laterally through the use of Impacket’s wmiexec.py and native Windows Management Instrumentation (WMI) to execute remote commands. The technical proficiency of Velvet Ant operators is demonstrated through their exploitation of F5 BIG-IP appliances and two versions of PlugX malware to maintain persistence within a targeted network. The F5 appliances, left unsecured by endpoint detection and response (EDR) systems and outdated, proved highly vulnerable, enabling Velvet Ant to establish a command and control (C2) channel disguised as normal network traffic.

According to Sygnia, "F5 BIG-IP appliances occupy a trusted position within the network architecture, often placed at the perimeter or between different network segments. By compromising such a device, attackers can exert significant control over network traffic without arousing suspicion." The compromised F5 BIG-IP appliances, responsible for services such as firewall, WAF, load balancing, and local traffic management, facilitated internal control by allowing threat actors to execute commands and maintain unauthorized access through a reverse SSH tunnel from a second version of PlugX. This version of PlugX, deployed on legacy servers without a C2 configuration, was particularly designed to avoid detection. "Forensic investigation of the appliances revealed a reverse SSH tunnel connection to the same C&C IP address that was previously blocked on the corporate firewalls during the eradication efforts. Since the appliances were not located behind the main corporate firewall, the traffic was not blocked," explains Sygnia. Utilizing tools such as Impacket’s WmiExec, the attackers effectively pivoted within the network, manipulating Admin$ and C$ shares over SMB and executing remote commands, as observed by Sygnia: "the active network connections on the F5, an established connection was observed between the appliance and the file server, on the port PlugX was listening on."

Given the proficiency and complex nature of Velvet Ant's tactics, Sygnia recommends various defense strategies in light of the insights gained from this intrusion. Organizations should focus on limiting outbound internet traffic, controlling lateral movement within networks, specifically monitoring critical ports, enhancing the security of legacy systems, and monitoring processes such as LSASS to prevent tampering.