3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Researchers Uncover Chinese Hacking Cyberespionage Campaign

Chinese Threat Actor 'Velvet Ant' Evaded Detection for Years in Victim Network
Researchers Uncover Chinese Hacking Cyberespionage Campaign
Image: Shutterstock

A Chinese threat actor known as "Velvet Ant" used state-sponsored tools and techniques to carry out a cyberespionage campaign while hidden for three years in a network owned by a major enterprise, according to new research.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

Sygnia researchers in a blog post on Monday said the hacking group exploited two legacy F5 BigIP devices that included vulnerable operating systems. The researchers described Velvet Ant as "a sophisticated and innovative threat actor" that evaded detection for years while exploiting various entry points across the victim's network infrastructure.

"After one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection," the researchers said, adding that the incident "highlights the importance of establishing resilient defense strategies against sophisticated threats."

Velvet Ant achieved "remarkable persistence" by exploiting the F5 Big-IP load balancer to gain multiple footholds across the network and covertly manipulate network traffic. The researchers did not name the victim organization.

Sygnia, a cyber technology and services company, said it managed to eventually eradicate Velvet Ant from the network. But the firm said the process "resembled a relentless game of cat and mouse," as the threat actor "resurfaced time and again through the use of dormant persistence mechanisms in unmonitored systems."

Velvet Ant began its operations with a focus on hijacking execution and flow, according to the researchers, and it eventually exploited a tool called PlugX - which has since been widely replaced by its successor, ShadowPad - to gain near-administrative capabilities in infected systems.

Researchers recommend that organizations limit outbound traffic and lateral movement throughout their networks to avoid facing a similar attack. Sygnia also said companies should prioritize decommissioning and replacing legacy technology and mitigate credential harvesting to better protect systems.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.asia, you agree to our use of cookies.