Forensic investigators have discovered that cybercriminals used compromised F5 BIG-IP appliances to gain persistence in an on-premises network in an infiltration that lasted about three years.

The investigators believe the criminals, which they track as “Velvet Ant,” are very sophisticated, state-sponsored, and likely to have ties with China. The goal of the infiltration is thought to have been espionage.

According to the report, the attackers demonstrated intimate knowledge of the target’s network. Not only by managing to be persistent for 3 years, but also by showing they were able to switch quickly when the initial foothold was discovered and remediated.

A typical attack method used by Velvet Ant turned out to be several methods of DLL-hijacking. The remote access Trojan (RAT) the attacker used was identified as PlugX, which is surprising since its successor, ShadowPad, has been in use for almost a decade.

The attackers used Impacket’s wmiexec.py and other tools in this open-source collection for lateral movement and to abuse Windows Management Instrumentation (WMI) to execute remote commands.

As the name Windows Management Instrumentation implies, this is a set of tools that manage devices and applications in a Windows environment. This includes (remotely) changing system settings, properties, and permissions. One problem is that it’s not recommended to disable WMI, because it is also in use for system critical operations, such as Windows Update.

After a lot of work to eradicate the Velvet Ant presence on the network, the attackers showed their skills. Several days later, PlugX was deployed again on newly infected systems. To evade detection, the new version used a local server to channel Command and Control (C2) chatter, to make it look like legitimate network traffic.

The researchers traced the new infections back to an F5 load balancer that was not supposed to be operational in the production network.

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

This case demonstrates once more how important it is to have a clear understanding of your network infrastructure and the appliances that are in use. Having a baseline for what is normal behavior in your environment is a necessity to make monitoring much more effective.

A complete list of Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) can be found in the researchers’ blog.