Listen to this Post
Introduction: A Silent Intrusion That Defied Isolation
Air-gapped networks are supposed to be the digital equivalent of a sealed vault—cut off from the internet, hardened against intrusion, and trusted with the most sensitive operations in critical infrastructure. Yet, “Operation Highland,” uncovered by Sygnia’s incident response team, reveals a far more unsettling reality. A China-nexus threat actor known as Velvet Ant managed to survive inside such an environment for nearly a decade, remaining undetected since at least 2016. This wasn’t a quick smash-and-grab breach. It was a slow, disciplined, deeply engineered infiltration that rewrote how persistence can exist without direct internet access.
Summary of the Original Incident: A Decade of Hidden Control
The investigation shows Velvet Ant successfully infiltrated a highly segmented, air-gapped critical infrastructure network and maintained access for years. Instead of relying on traditional malware persistence, the attackers compromised foundational authentication systems themselves.
They bypassed isolation barriers using multi-stage tunneling techniques, including compromised internet-facing servers, reverse shells disguised as legitimate tools, and manipulated web request routing. Once inside, they escalated by replacing core Linux authentication components and modifying OpenSSH binaries to silently capture credentials, commands, and session data.
The breach stands out not only because of its duration, but because of its sophistication: the attackers effectively turned the network’s trust mechanisms into their own surveillance infrastructure.
Initial Foothold: The Hidden Entry Through Internet-Facing Systems
Velvet Ant began where most advanced attackers start—not inside the secure network, but at its exposed edges. They deployed a modified version of GS-Netcat disguised as a system utility called auditdb. This tool acted as an encrypted reverse shell, quietly maintaining communication channels while blending into normal system activity.
To expand control, the attackers introduced a custom SOCKS5 proxy. Every process was carefully renamed to resemble legitimate services, ensuring that even basic system monitoring would overlook the intrusion.
Lateral Movement: Turning Web Infrastructure Into a Gateway
Instead of brute-forcing their way inward, the attackers used legitimate infrastructure against itself. Internet-facing Nginx servers were manipulated to forward specific HTTP requests into backend FastCGI processes.
This created a covert execution bridge. Through carefully crafted HTTP requests, attackers triggered backend processes that eventually initiated SSH connections into segmented internal environments. This technique effectively converted normal web traffic into a stealth transport layer for command execution.
Breaking the Air Gap: A False Sense of Isolation
The most critical assumption violated in this incident was the concept of isolation itself. Even without direct internet connectivity, the network could still be reached indirectly through compromised edge systems.
Velvet Ant exploited this by chaining multiple hops:
External server compromise
Web request manipulation
Backend execution bridging
SSH tunneling into isolated segments
This multi-stage design allowed them to cross boundaries that were assumed to be impermeable.
Core Compromise: Hijacking Linux Authentication at the Root
Once inside the core network, the attackers shifted strategy from access to dominance. Instead of maintaining traditional backdoors, they targeted the Linux Pluggable Authentication Modules (PAM).
They replaced legitimate pam_unix.so modules with malicious variants. Investigators discovered at least nine customized versions, suggesting a structured development pipeline tailored for different environments.
These modified modules:
Accepted hardcoded passwords for bypass access
Silently harvested administrator credentials
Stored stolen data in hidden local files
This wasn’t just access—it was full authentication subversion.
Deep Surveillance: Weaponizing OpenSSH
Velvet Ant also modified core OpenSSH binaries, including ssh, sshd, and scp. These changes turned standard administrative tools into surveillance mechanisms.
Every command executed by administrators was logged and encrypted. Sessions were effectively keylogged at the system level. The attackers even introduced a hidden -d flag that disabled logging when needed, allowing them to move laterally without leaving forensic traces.
This level of control turned every privileged user session into a monitored intelligence stream.
Infrastructure Manipulation: Weakening System Defenses
Beyond credential theft, the attackers also weakened defensive mechanisms. The compromised SCP binary was engineered to disable SELinux when executed with root privileges.
This removed mandatory access controls at critical moments, allowing unrestricted file transfers and system modifications without triggering alarms. It ensured that once inside, containment systems could be selectively neutralized.
What Undercode Say:
Air-gapped systems are not immune if edge infrastructure is exposed
Authentication layers are becoming primary attack targets
PAM modules are high-value persistence points in Linux environments
OpenSSH binaries are increasingly abused for stealth surveillance
Multi-stage tunneling remains a dominant APT strategy
Web servers can become covert execution bridges
Process renaming is still effective against basic detection systems
Reverse shells disguised as system tools increase evasion success
SOCKS5 proxies are commonly used for internal pivoting
Credential harvesting is prioritized over immediate destruction
Attackers prefer long-term invisibility over fast exploitation
Air-gap assumptions often ignore indirect connectivity paths
Backend web processing pipelines can be abused for command execution
FastCGI routing manipulation is a stealth escalation vector
Linux authentication modules are frequently overlooked in audits
Hardcoded credential bypasses indicate deep system knowledge
Multi-variant malware suggests industrialized attacker pipelines
Administrative behavior is a primary intelligence target
Encrypted logging shows intent to evade forensic recovery
Attackers build conditional stealth mechanisms into tools
SELinux disabling indicates focus on privilege expansion
Internal SSH trust is often stronger than external perimeter security
Once inside, lateral movement becomes easier than initial entry
Compromised binaries persist longer than memory-resident malware
System utilities are ideal camouflage for persistence tools
Authentication tampering bypasses most endpoint detection systems
Attackers prioritize blending into system behavior patterns
Long dwell time indicates weak internal monitoring
Segmentation alone is insufficient without behavioral detection
Multi-hop compromise chains increase detection difficulty exponentially
Infrastructure trust is often exploited more than software vulnerabilities
Credential theft enables silent replication across environments
Attackers exploit administrative convenience tools
Security blind spots exist in legacy authentication systems
Persistence through system libraries is harder to detect than services
Custom malware families indicate state-level capability
Web infrastructure is often the weakest controlled attack surface
SSH trust relationships amplify breach impact
Internal logging systems can be weaponized against defenders
The real breach is often identity, not infrastructure
❌ Claims of decade-long persistence require partial inference from forensic traces, not continuous confirmed access
✅ PAM and OpenSSH binary modification is a known advanced persistence technique in APT campaigns
❌ Full invisibility over such a long period is unlikely; modern enterprise logging often reveals partial artifacts retrospectively
Prediction:
(+1) This incident signals increased targeting of authentication systems and Linux identity layers in future APT operations 🔐
(-1) Air-gapped systems will become less trusted as absolute isolation continues to be undermined by indirect connectivity paths ⚠️
(+1) Defensive tools will shift toward behavior-based detection rather than perimeter and signature-based security models 🧠
Deep Analysis (Linux / Windows / macOS Defensive Commands Perspective)
On Linux systems, defenders should focus on authentication integrity and binary validation:
Check PAM module integrity rpm -Va | grep pam RHEL-based systems debsums -s pam Debian-based systems
Verify OpenSSH binaries
sha256sum /usr/bin/ssh /usr/sbin/sshd
Detect suspicious file modifications
find /lib/security -type f -mtime -365
Review authentication logs
journalctl -u ssh cat /var/log/auth.log | grep "Failed password"
Monitor active connections
ss -tulpn netstat -plant
On Windows environments (for comparison in hybrid networks):
Check system binary integrity sfc /scannow
Monitor suspicious processes
Get-Process | Sort CPU -Descending
Audit login activity
Get-WinEvent -LogName Security | Select-String "Logon"
On macOS systems:
Verify system binaries codesign -v /usr/bin/ssh
Monitor authentication logs
log show –predicate ‘process == “sshd”‘ –last 7d
Check active network sockets
lsof -i
The core defensive lesson is clear: if identity systems are compromised, perimeter security becomes irrelevant.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
