Chinese state-sponsored hackers infiltrated an organization’s authentication infrastructure and remained hidden for 10 years, gaining complete oversight of all administrative actions.
Referred to as “Operation Highland,” the long-term attack has been linked to the Velvet Ant cyberespionage group, which initially exploited exposed internet-connected systems before moving into an internal network with no outward-facing connectivity.
Members of the Velvet Ant hacking collective penetrated a major organization’s air-gapped critical infrastructure network and carried out cyber-espionage activities over a 10-year period.
The campaign, named “Operation Highland” by analysts at Sygnia who uncovered it, started in 2016. It focused on exploiting internet-accessible systems before advancing to an air-gapped network with no direct link to the wider internet.
Velvet Ant’s extended spying efforts were detailed in a 2024 report from Sygnia, which described a stealthy operation against F5 BIG-IP appliances that went unnoticed for three years.
Also in 2024, Cisco issued warnings about a previously unknown zero-day flaw in NX-OS firmware powering Nexus switches, actively exploited by Velvet Ant to breach targets.
Velvet Ant’s Step-by-Step Attack Process
The initial phase involves breaching servers directly exposed to the internet, though the exact software or flaws used remain unspecified.
Velvet Ant deployed an altered version of the GS-Netcat reverse shell, disguised as a normal system file, connecting back to a predefined relay command-and-control domain for encrypted remote access.
The persistence mechanism involved either planting a rogue systemd service or tweaking system startup scripts.
Source: Sygnia
Subsequently, Velvet Ant set up a bespoke SOCKS5 proxy service to channel traffic internally, gaining reach to machines otherwise unreachable from the internet.
The proxy ran under the guise of ‘smbd -D,’ adopting unique file names and port numbers on every host, effectively converting compromised machines into relay nodes.
Source: Sygnia
The most notable aspect of the attack was the creation of a remote command execution pathway into the isolated network.
To make this possible, Velvet Ant altered the Nginx settings on an internet-facing server to forward specially structured HTTP requests to a compromised backend application server.
The backend server was similarly reconfigured so that incoming requests were redirected to a FastCGI process (fcgiwrap) operating on a designated port.
This FastCGI wrapper functioned as an execution bridge, interpreting requests and triggering a custom program called ‘uptime.’
The ‘uptime’ binary then initiated SSH connections to machines residing within the secured infrastructure zone, using credentials embedded in the incoming HTTP POST requests.
“By linking these configuration changes, Velvet Ant constructed a remote-execution channel into the isolated environment through straightforward HTTP requests, completely eliminating the need for any direct connection to the restricted network.” – Sygnia
With access to the isolated network secured, Velvet Ant concentrated on establishing enduring persistence and stealing credentials by manipulating Linux Pluggable Authentication Modules (PAM), a core system component governing how users are verified.
The attackers swapped genuine ‘pam_unix.so’ modules with trojanized alternatives programmed to accept secret hardcoded passwords and intercept user login details.
Sygnia identified nine separate builds of the tampered PAM module, each produced using different toolchains, pointing to a well-funded adversary.
Among these variants, two stood out—one designed purely as a backdoor and another focused on harvesting credentials.
The group also substituted key OpenSSH binaries such as ssh, sshd, and scp with modified versions that silently intercepted stored passwords, recorded commands typed during SSH sessions, and saved the stolen information locally for later extraction.
According to Sygnia, by taking control of the authentication layer through PAM and OpenSSH modifications, the hackers gained real-time access to every credential as it was used, effectively bypassing standard security checks.
“Every login and every executed command across compromised systems became visible to them. Their foothold was no longer tied to a single entry point but woven into the very fabric of the authentication process,” the analysts noted.
This approach ensured the attackers maintained access even after passwords were changed or sessions were closed, significantly undermining typical containment efforts.
Difficult Remediation Process
Sygnia reported that even after detection, purging Velvet Ant from the affected systems proved exceptionally challenging.
Due to the sheer number of critical system files replaced by the attackers, any forced removal risked disrupting legitimate authentication, locking out authorized staff, and triggering service outages.
To address this challenge, the team established a controlled lab environment to safely test each binary replacement, profile affected hosts, verify results, and develop contingency rollback plans before initiating the cleanup.
Security teams are urged to treat core authentication elements such as PAM, OpenSSH, and Windows LSASS as high-value security assets, safeguarding them with endpoint detection (EDR), file integrity checks, strict privileged account controls, multi-factor authentication (MFA), and ongoing surveillance for unexpected changes.
Organizations must also prepare for offline recovery by maintaining regular, automated backups with immutable snapshots stored separately.
Any recovery effort should include thorough validation of backups and recovery hosts running verified operating systems, alongside tested restoration scripts.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper demonstrates how breach and attack simulation strengthens your SIEM and EDR defenses to catch threats before they evade detection.
Get the whitepaper
