Listen to this Post
A Hidden War Inside Air-Gapped Systems: How Velvet Ant Breached the Impossible
For nearly a decade, a China-linked threat group tracked as Velvet Ant operated silently inside a highly secured critical infrastructure network believed to be isolated from the internet. According to security researchers at Sygnia, the intrusion—dubbed Operation Highland—reveals one of the most patient and technically sophisticated espionage campaigns ever documented.
What makes this breach so alarming is not just its duration, but its method. Instead of exploiting flashy zero-day vulnerabilities, the attackers quietly compromised the very foundation of system authentication. By embedding malicious code into Linux authentication components and OpenSSH services, they effectively lived inside the system’s identity layer for years without triggering alarms.
The Summary of a Silent Infiltration: From Entry Point to Full Control
The attackers began their journey through internet-facing systems, using a disguised version of GS-Netcat as a legitimate utility. From there, they established encrypted reverse shells, maintained persistence through systemd tricks, and built hidden tunnels for lateral movement. Once inside, they escalated privileges by abusing web servers like Nginx and eventually reached the isolated infrastructure segment.
But the real turning point came when they stopped “breaking in” and instead started “becoming the system itself.”
The Entry Strategy: Disguised Tools and Hidden Persistence
Velvet Ant’s first foothold relied on deception rather than force. Modified binaries masquerading as system tools created encrypted communication channels back to command servers. These channels were carefully engineered to blend into normal traffic patterns.
To ensure survival across reboots, attackers planted malicious systemd services disguised as legitimate Chrome-related processes. This gave them a persistent foothold that survived routine system maintenance.
They also deployed a custom SOCKS5 proxy, transforming compromised machines into invisible relay nodes capable of silently routing attacker traffic deeper into the network.
The Lateral Movement Engine: Turning Web Servers Into Gateways
Once inside the perimeter, attackers shifted toward infrastructure abuse. By modifying Nginx configurations, they redirected web traffic through FastCGI wrappers capable of executing arbitrary payloads.
This technique effectively turned web servers into execution bridges, bypassing traditional segmentation controls. From there, attackers established indirect SSH pathways into isolated environments without requiring direct internet connectivity.
This phase marks the moment the intrusion stopped being an external breach and became an internal system takeover.
The Core Compromise: Hijacking Authentication Itself
Instead of maintaining access through conventional backdoors, Velvet Ant escalated to a far more dangerous level—they compromised authentication.
They replaced legitimate Linux PAM modules (specifically pam_unix.so) with nine distinct malicious variants compiled in separate environments. These modules silently intercepted login flows, allowing attackers to:
Bypass authentication using hardcoded backdoor passwords
Capture real usernames and credentials
Log sensitive authentication data in hidden files
Survive password resets without losing access
At the same time, they modified OpenSSH binaries (ssh, sshd, and scp), embedding stealth capabilities that expanded visibility across the entire infrastructure.
At this stage, attackers were no longer intruders—they were part of the login process itself.
Why This Attack Was Almost Impossible to Remove
The most dangerous aspect of Operation Highland was not the infiltration, but the remediation challenge.
Security teams discovered that removing the malware meant replacing the very tools required to manage the system. Blind updates risked catastrophic outcomes: total administrative lockout or infrastructure-wide outages.
To safely respond, engineers built isolated testing environments to simulate eradication before deploying fixes. Every step had to be validated manually, making the cleanup slower and more dangerous than the intrusion itself.
The Bigger Lesson: Air-Gapped Does Not Mean Safe
Operation Highland dismantles a long-standing assumption in cybersecurity: isolation equals security. Even networks without direct internet access can be compromised through staged infiltration, supply-chain-like persistence, and authentication-layer manipulation.
The attackers did not rush. They evolved slowly inside trusted systems, turning core security mechanisms into weapons against their own environment.
What Undercode Say:
This attack proves perimeter security is no longer a valid defense model
Long-term persistence beats fast exploitation in high-value targets
Authentication layers are becoming primary attack surfaces
Linux system trust boundaries are increasingly fragile under advanced threats
PAM modules represent a high-value compromise target due to privileged execution flow
OpenSSH manipulation shows attackers prioritize control over stealth
Multi-stage intrusion chains reduce detection probability significantly
Air-gapped environments can still be indirectly bridged
Systemd persistence shows attackers adapt to modern Linux architectures
Compromised binaries are more dangerous than network-based malware
Credential harvesting at kernel-adjacent layers is extremely difficult to detect
Proxy chaining enables invisible lateral movement
Nginx abuse highlights the risk of trusted infrastructure software
Authentication interception allows indefinite persistence
Backdoored login modules bypass traditional SIEM detection
Security tools relying on integrity assumptions are vulnerable
Multi-compiled malware variants indicate industrial-level resources
Detection lag increases exponentially with infrastructure complexity
Credential replay resistance becomes irrelevant if auth is compromised
Internal segmentation alone is not sufficient protection
Threat actors prefer system control over data theft in long campaigns
Defensive monitoring must include binary integrity verification
Host-based anomaly detection is critical in isolated networks
Kernel and user-space trust boundaries must be continuously validated
Attackers prioritize stealth over speed in critical infrastructure
Administrative tool compromise leads to full environment control
Logging systems may be manipulated at authentication level
Persistence mechanisms are evolving beyond cron and startup scripts
Security audits must include authentication stack review
Hidden backdoors can survive years undetected in stable systems
Network isolation must be paired with endpoint integrity checks
Attack attribution becomes secondary to impact mitigation
Infrastructure trust collapse is the real endgame of advanced threats
Credential interception is more valuable than ransomware in espionage
Compromise of PAM equals compromise of identity layer
SSH backdoors extend visibility across entire network topology
Multi-stage proxies obscure origin of malicious traffic
System compromise can persist through administrative resets
Detection requires behavioral rather than signature-based methods
Operation Highland is a blueprint for modern stealth espionage campaigns
❌ Attribution to China-linked actors is based on threat intelligence classification, not courtroom-confirmed identity
✅ Sygnia is a recognized cybersecurity firm that investigates advanced persistent threats
❌ Exact duration “nearly a decade since 2016” is based on forensic artifacts, not continuous verified access across all systems
✅ Linux PAM and OpenSSH are commonly targeted components in advanced Linux-based intrusions
❌ Full operational details (tool variants, internal execution paths) are derived from incident response analysis, not publicly observable activity
Prediction
(+1) This type of attack will push organizations toward mandatory authentication stack integrity verification and kernel-level monitoring 📊🛡️
(-1) Legacy Linux environments relying on outdated PAM and SSH deployments will remain highly vulnerable for years due to upgrade complexity ⚠️
(+1) Future state-level operations will increasingly avoid exploits and instead target identity systems directly 🔐🚨
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
