A China-linked cyberespionage group known as Velvet Ant remained hidden inside a major organization’s critical infrastructure network for nearly a decade, according to a new investigation by Sygnia.
The campaign, named Operation Highland, shows how advanced hackers can bypass traditional network isolation by abusing trusted internal systems and authentication tools. The earliest forensic evidence found by researchers dates back to 2016, meaning the attackers may have maintained access for almost 10 years without being detected.
What makes this case more serious is that the targeted environment had no direct internet connection. It was supposed to be isolated from external access. However, Velvet Ant first compromised internet-facing systems and then used them as stepping stones to move deeper into the organization’s internal network.
Researchers said the attackers deployed modified reverse shells and custom tunneling tools to quietly move traffic through compromised servers. One of the tools was disguised as a normal system component, while another acted as a SOCKS5 proxy to help the hackers reach internal machines that were not directly exposed to the internet.
The group also abused Nginx and FastCGI configurations to create a remote execution path into the isolated environment. By chaining compromised web servers and backend systems, Velvet Ant was able to send specially crafted HTTP requests that triggered commands inside the critical infrastructure network.
The most alarming part of the intrusion was the group’s control over the authentication stack. Velvet Ant replaced legitimate Linux PAM modules with backdoored versions. PAM, or Pluggable Authentication Modules, is a core Linux component used to manage user login and authentication.
These malicious PAM modules allowed the attackers to bypass normal login checks, use hardcoded passwords, and collect credentials as legitimate users entered them. Sygnia said it identified nine different variants of the malicious PAM module, suggesting a highly organized and well-resourced operation.
The attackers also replaced OpenSSH components such as ssh, sshd, and scp with trojanized versions. These modified tools captured login credentials, recorded commands entered during SSH sessions, and stored the stolen data locally for later collection.
By compromising PAM and OpenSSH, Velvet Ant did not need to rely on a single backdoor or stolen password. The group embedded itself directly into the login process. This gave the attackers visibility into administrator activity and allowed them to survive password resets, session terminations, and other standard containment steps.
Sygnia said removing the attackers from the environment was complex because many critical system components had been replaced. Simply deleting the malicious files could have broken authentication, locked out administrators, or disrupted operations. Investigators had to build a testing environment, validate clean replacement binaries, profile each affected host, and prepare rollback plans before beginning cleanup.
The case highlights a major lesson for defenders: network segmentation alone is not enough. Even isolated environments can be reached if attackers compromise trusted systems that connect to them indirectly.
Organizations should treat authentication components such as PAM, OpenSSH, and Windows LSASS as high-value security assets. These systems should be monitored with file integrity checks, endpoint detection tools, strict privileged access controls, multi-factor authentication, and continuous auditing.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Security teams should also maintain offline recovery plans, immutable backups, tested restoration procedures, and clean recovery hosts. In long-term espionage cases like Operation Highland, recovery is not only about removing malware. It is about proving that the systems used to authenticate users can be trusted again.
