3rd Party Risk Management
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Chinese Threat Actor ‘Velvet Ant’ Evaded Detection for Years in Victim Network
A Chinese threat actor known as “Velvet Ant” used state-sponsored tools and techniques to carry out a cyberespionage campaign while hidden for three years in a network owned by a major enterprise, according to new research.
See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through
Sygnia researchers in a blog post on Monday said the hacking group exploited two legacy F5 BigIP devices that included vulnerable operating systems. The researchers described Velvet Ant as “a sophisticated and innovative threat actor” that evaded detection for years while exploiting various entry points across the victim’s network infrastructure.
“After one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection,” the researchers said, adding that the incident “highlights the importance of establishing resilient defense strategies against sophisticated threats.”
Velvet Ant achieved “remarkable persistence” by exploiting the F5 Big-IP load balancer to gain multiple footholds across the network and covertly manipulate network traffic. The researchers did not name the victim organization.
Sygnia, a cyber technology and services company, said it managed to eventually eradicate Velvet Ant from the network. But the firm said the process “resembled a relentless game of cat and mouse,” as the threat actor “resurfaced time and again through the use of dormant persistence mechanisms in unmonitored systems.”
Velvet Ant began its operations with a focus on hijacking execution and flow, according to the researchers, and it eventually exploited a tool called PlugX – which has since been widely replaced by its successor, ShadowPad – to gain near-administrative capabilities in infected systems.
Researchers recommend that organizations limit outbound traffic and lateral movement throughout their networks to avoid facing a similar attack. Sygnia also said companies should prioritize decommissioning and replacing legacy technology and mitigate credential harvesting to better protect systems.