Listen to this Post
Introduction: A Breach That Redefines Cyber Persistence
What happens when attackers no longer need to break into a network because they become part of its identity system? A newly revealed cyber-espionage campaign demonstrates exactly that frightening reality. Security researchers uncovered a decade-long intrusion conducted by the Chinese-linked threat group Velvet Ant, which successfully infiltrated a major organization’s critical infrastructure environment and remained hidden for nearly ten years.
The operation, codenamed “Operation Highland,” was not simply another network breach. It was a carefully engineered campaign that evolved from compromising internet-facing systems into gaining influence over isolated infrastructure that had no direct internet connection. By embedding themselves into the authentication framework itself, the attackers transformed routine logins, administrator actions, and credential management into intelligence collection opportunities.
The discovery offers one of the clearest examples of how modern nation-state cyber operations prioritize stealth, patience, and persistence over rapid disruption.
Operation Highland: A Decade of Invisible Espionage
According to researchers at Sygnia, the campaign began in 2016 when Velvet Ant compromised exposed internet-facing servers. Rather than launching destructive attacks or deploying ransomware, the attackers pursued a much more strategic objective: long-term intelligence gathering.
Their goal was to move beyond publicly accessible systems and reach highly protected operational environments. These networks were designed to be isolated from direct internet access, making them significantly harder to penetrate through conventional methods.
Instead of forcing entry, Velvet Ant built a pathway into the environment piece by piece, carefully avoiding detection while creating multiple layers of persistence.
The result was an espionage operation that remained active for nearly ten years, granting unprecedented visibility into administrative activity and critical infrastructure operations.
The First Stage: Establishing an Initial Foothold
The attackers reportedly began by compromising internet-facing servers through undisclosed vulnerabilities or weaknesses.
After gaining access, they deployed a modified version of GS-Netcat, a reverse shell disguised as a legitimate system component. This malware connected to a hardcoded relay domain, allowing encrypted remote command execution.
To ensure survival after reboots and maintenance operations, the malware established persistence through either:
Malicious systemd services
Modified startup scripts
Customized execution mechanisms
These techniques ensured that the attackers would maintain access even if administrators attempted routine remediation efforts.
Building Internal Highways Across the Network
Once inside, Velvet Ant expanded its reach using a custom SOCKS5 proxy infrastructure.
The proxy software masqueraded as legitimate services, often appearing as the commonly used Linux process:
smbd -D
By disguising malicious communications as ordinary system activity, the attackers transformed compromised machines into internal relay stations.
Every infected host became a stepping stone to another target.
This allowed the threat actors to move laterally throughout the organization while remaining hidden behind legitimate-looking traffic patterns.
Breaking Into an Air-Gapped Environment Without Direct Access
The most remarkable aspect of Operation Highland was the method used to reach isolated infrastructure.
Traditional security assumes that systems disconnected from the internet enjoy strong protection. Velvet Ant demonstrated that such assumptions can be dangerously misleading.
The attackers modified Nginx configurations on compromised servers, creating a chain of proxies capable of forwarding specially crafted requests.
The attack path functioned like a relay race:
Internet-facing Nginx server receives crafted request
Request forwarded to compromised backend server
Backend Nginx passes traffic to FastCGI process
FastCGI launches a custom binary called uptime
SSH connections are established to isolated systems
Through this method, the attackers effectively created a remote execution tunnel into an environment that theoretically had no direct internet connectivity.
The isolated network never needed to establish an external connection. Instead, the attackers manipulated trusted internal pathways until they could reach their destination.
Authentication Became the Battlefield
After achieving access to the critical infrastructure environment, Velvet Ant shifted its attention toward the most valuable target of all: authentication.
Rather than relying on malware running on individual machines, the attackers embedded themselves directly into the mechanisms responsible for verifying user identities.
Their primary target was Linux PAM (Pluggable Authentication Modules).
PAM serves as a foundational authentication framework for Linux systems, handling user verification across numerous services.
By replacing legitimate authentication libraries with malicious versions, the attackers fundamentally altered how access control operated throughout the environment.
Weaponized PAM Modules and Hidden Backdoors
Researchers identified nine separate variants of malicious PAM modules.
These replacements were capable of:
Accepting hardcoded secret passwords
Capturing legitimate user credentials
Creating hidden administrative access channels
Maintaining access despite password resets
The diversity of variants suggests a highly capable and well-funded threat actor with significant development resources.
Each version appeared tailored for different deployment scenarios, reflecting a level of operational maturity rarely observed in ordinary cybercrime campaigns.
OpenSSH Turned Into a Surveillance Platform
Velvet Ant did not stop at PAM.
The attackers also replaced core OpenSSH components including:
ssh sshd scp
The trojanized versions secretly collected:
Usernames
Passwords
Session activity
Administrative commands
File transfer operations
Every administrative action became observable.
Every login generated intelligence.
Every command executed on a compromised system became part of the attackers’ surveillance dataset.
By integrating themselves directly into OpenSSH, Velvet Ant eliminated the need for traditional credential theft tools because credentials were harvested naturally during normal operations.
Total Visibility Across the Environment
One of the most alarming findings was the degree of visibility achieved by the attackers.
Traditional compromises often depend on maintaining access through specific servers or user accounts.
Operation Highland moved beyond that limitation.
Because the authentication stack itself was compromised, access became embedded into the organization’s trust model.
This meant:
Password changes provided little protection
Session terminations had limited impact
Administrative account resets were insufficient
Standard containment procedures became less effective
The attackers were no longer attached to individual machines.
They had effectively become part of the authentication infrastructure itself.
Why Cleanup Became a Security Nightmare
Removing Velvet Ant proved exceptionally difficult.
Normally, organizations can isolate compromised machines and replace malicious software.
In this case, however, critical authentication components had been replaced throughout the environment.
Removing the malicious binaries without proper testing risked:
Authentication failures
Administrative lockouts
Service disruptions
Operational outages
To avoid catastrophic consequences, Sygnia reportedly created a dedicated testing environment to validate every replacement procedure before executing remediation activities.
Each host required individual analysis and rollback planning.
The cleanup process became almost as complex as the original attack.
Deep Analysis: Linux Authentication Components Became the Primary Attack Surface
Operation Highland reinforces a critical lesson for defenders: authentication infrastructure is now a frontline battlefield.
Security teams often prioritize endpoint malware, phishing campaigns, and perimeter defenses while overlooking authentication components that silently govern trust.
Key Linux components requiring continuous monitoring include:
ls -la /lib/security/ rpm -V pam debsums -s sha256sum /usr/sbin/sshd systemctl list-units --type=service find /etc -mtime -30 auditctl -l journalctl -xe ps aux | grep ssh netstat -tulpn ss -tulpn lsof -i
These commands can help identify unauthorized modifications, suspicious services, altered binaries, and abnormal network behavior.
Organizations should also implement:
File Integrity Monitoring (FIM)
Endpoint Detection and Response (EDR)
Multi-Factor Authentication (MFA)
Immutable backups
Offline recovery procedures
Privileged Access Management (PAM)
Continuous binary verification
The campaign demonstrates that attackers increasingly target trust mechanisms instead of simply targeting systems. Once trust itself becomes compromised, traditional defensive assumptions begin to collapse.
What Undercode Say:
Operation Highland represents a significant evolution in cyber-espionage methodology.
Unlike ransomware operators seeking immediate financial gain, Velvet Ant displayed extraordinary patience.
The campaign highlights the growing importance of persistence over destruction.
Nation-state operators increasingly prefer intelligence collection rather than visibility-generating attacks.
Authentication systems have become strategic assets.
Compromising authentication delivers long-term operational advantages.
Attackers no longer need to repeatedly steal credentials.
Instead, they position themselves where credentials naturally flow.
This dramatically reduces operational risk.
The use of multiple PAM variants indicates professional software development practices.
Threat actors invested resources into maintaining compatibility across environments.
The attack demonstrates sophisticated understanding of Linux internals.
Compromising OpenSSH further expanded intelligence collection capabilities.
Administrative activities became transparent to the attackers.
Traditional security monitoring may not detect authentication-layer tampering.
Many organizations focus on endpoint malware signatures.
Authentication libraries often receive less scrutiny.
Air-gapped systems are not inherently secure.
Indirect pathways can bridge supposedly isolated environments.
Network segmentation remains important but insufficient by itself.
Configuration abuse can undermine isolation.
Nginx was transformed from a web service into an attack conduit.
Legitimate technologies became covert communication channels.
Defenders must monitor configuration integrity alongside binary integrity.
The operation illustrates the value of stealth.
Ten years of persistence suggest extremely effective operational discipline.
The attackers avoided actions likely to trigger investigations.
Persistence became the primary objective.
Credential collection served long-term intelligence requirements.
The campaign also highlights incident response challenges.
Removing attackers embedded within authentication infrastructure carries significant risk.
Organizations require tested recovery plans before incidents occur.
Offline recovery capabilities are becoming essential.
Immutable backups should become standard practice.
Authentication services should receive the same protection level as domain controllers.
Continuous validation of trust mechanisms is necessary.
Behavioral monitoring must complement signature detection.
Critical infrastructure operators should assume compromise is possible.
Verification should replace trust wherever feasible.
Supply chain validation and binary verification should be routine.
Operation Highland may influence future threat actor strategies.
Other advanced groups are likely studying similar techniques.
Authentication-layer security will become a major focus area over the coming years.
Organizations that fail to adapt may face similarly persistent threats.
✅ Sygnia researchers attributed the operation to the Chinese-linked Velvet Ant threat cluster and described a long-term cyber-espionage campaign targeting critical infrastructure.
✅ The attackers reportedly modified PAM authentication modules and OpenSSH components to collect credentials and maintain persistence within the environment.
✅ Researchers documented the creation of a remote execution pathway into a segregated network using modified Nginx and FastCGI configurations, demonstrating that isolated environments can still be reached through trusted intermediary systems.
Prediction
(+1) Critical infrastructure operators will significantly increase investments in authentication integrity monitoring, file verification systems, and privileged access security over the next several years. 🔐
(+1) Linux PAM, OpenSSH, and identity-management platforms will receive enhanced security auditing capabilities as organizations recognize them as high-value attack surfaces. 📈
(+1) Security vendors will develop more specialized detection technologies focused on authentication-layer tampering and credential interception techniques. 🚀
(-1) Advanced persistent threat groups are likely to replicate similar authentication-centric strategies because they offer long-term intelligence access with relatively low visibility. ⚠️
(-1) Organizations that rely solely on perimeter security and network segmentation may continue to underestimate the risks posed by compromised trust mechanisms inside their environments. 🛑
(-1) Future campaigns may become even harder to detect as threat actors increasingly weaponize legitimate services and administrative tools instead of deploying traditional malware. 🎯
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
