Ten years of undetected access inside an air-gapped network, with full visibility into every admin login and command executed, thanks to backdoored PAM modules and trojanized OpenSSH binaries.
Sygnia researchers named the campaign "Operation Highland" and attributed it to the Chinese espionage group Velvet Ant. The breach started in 2016 through vulnerable internet-facing servers (the researchers did not disclose the exact product or CVE) and eventually pivoted into a network with no direct external path.
From Reverse Shells to an Execution Bridge
Velvet Ant first deployed a modified GS-Netcat reverse shell disguised as a legitimate system component, connecting to a hardcoded relay domain for encrypted remote shell access. Persistence came via a malicious systemd service or startup script modification.
Next, a custom SOCKS5 proxy masquerading as 'smbd -D' turned compromised servers into internal pivot points. The real feat: building a remote execution path into the isolated environment using a chain of Nginx configuration changes. A compromised internet-facing Nginx server proxied specially crafted HTTP requests to a backend server, whose Nginx then forwarded them to a FastCGI process (fcgiwrap) on a separate port. That FastCGI wrapper launched a custom binary named 'uptime', which established SSH connections into the air-gapped network using parameters from HTTP POST bodies. No direct connection to the critical infrastructure network ever existed.
Authentication as a Backdoor
Once inside, Velvet Ant replaced legitimate 'pam_unix.so' modules with backdoored versions that accepted hardcoded passwords and harvested user credentials. Sygnia identified nine distinct malicious PAM variants, each compiled in a separate build environment, signaling a well-resourced adversary. Two variants were particularly notable: one acting solely as a backdoor, the other only collecting credentials.
The group also replaced ssh, sshd, and scp with trojanized versions that captured credentials and logged every command entered during SSH sessions. Stolen data was stored locally for later retrieval. As Sygnia noted, "administrative activity became fully observable: every login; every command executed across compromised hosts." Access was no longer tied to a specific foothold but embedded into the authentication process itself.
The Cleanup Nightmare
Removing Velvet Ant was more dangerous than leaving them in place. The threat actors had replaced so many critical system components that naive removal risked breaking authentication entirely and locking legitimate administrators out. Sygnia built a testing lab to validate each binary replacement, profiled every host, tested results, and prepared rollback procedures before attempting cleanup.
Treat authentication components - PAM, OpenSSH, Windows LSASS - as critical security assets. Protect them with EDR, file integrity monitoring, hardened privileged access, and MFA. Plan for offline recovery with immutable backups tested on validated recovery hosts. The next Velvet Ant won't need 10 years to find the same hole.
Source: Chinese hackers hijack auth flow, spy on isolated network for a decade
Domain: bleepingcomputer.com
Comments load interactively on the live page.