hijack authentication – A China-linked cyberespionage operation known as “Operation Highland” kept access inside an isolated critical-infrastructure network for 10 years by taking control of authentication. Researchers from Sygnia say the intruders modified core login components—Linu
When authentication stops being a door and becomes a window, the damage lasts far longer than a detected intrusion. That’s the core of what Sygnia researchers say happened in “Operation Highland,” a campaign they track to the Velvet Ant cyberespionage threat group.
Velvet Ant compromised a large organization and maintained persistence for 10 years, with full visibility into administrative activity. The operation began in 2016. Early on, attackers targeted vulnerable internet-facing systems. From there. they pivoted to an “air-gapped” environment—a network with no direct internet connection—yet still managed to reach deep inside the critical infrastructure enclave.
Sygnia says Velvet Ant’s lengthy activity was documented in 2024. In that year, Sygnia warned of a campaign targeting F5 BIG-IP devices that had operated undetected for three years. Also in 2024. Cisco warned of a zero-day in NX-OS running on Nexus switches. which Velvet Ant exploited to gain access to targets.
The initial access path starts with compromised servers exposed to the internet. though the researchers do not name the specific product or the vulnerability used. Once inside, Velvet Ant deployed a modified GS-Netcat reverse shell disguised as a legitimate system component. That shell connected to a hardcoded relay domain, delivering encrypted remote shell access.
Persistence followed. Sygnia says the attackers achieved it either through a malicious systemd service or through startup script modification.
From there. the intruders installed a custom SOCKS5 proxy to tunnel traffic and reach internal systems that were not directly accessible from the internet. The proxy ran as a daemon masquerading as “smbd -D,” using different filenames and ports on each host. Each compromised server became a pivot point for the next move.
The most striking part of the campaign. Sygnia says. was how Velvet Ant created a remote execution path into the segregated environment using only HTTP requests. They modified the configuration of a compromised internet-facing Nginx server so specially crafted requests were proxied to a compromised backend server. That backend server’s Nginx configuration was also altered to forward requests to a FastCGI process—fcgiwrap—listening on a separate port. The FastCGI wrapper then acted as an execution bridge, processing requests and launching a custom binary named “uptime.”.
Sygnia says this tool established SSH connections to systems within the isolated critical infrastructure network using parameters supplied in HTTP POST requests.
“By chaining these modifications, Velvet Ant established a remote-execution path into the segregated environment via simple HTTP requests, with no direct connection to the critical infrastructure network ever required.”
The intrusion might have been serious already. But Sygnia frames the longer-lasting breakthrough as something quieter and more dangerous: shifting control into the authentication process itself.
Instead of relying on stolen access that could be revoked or disrupted. Velvet Ant targeted Linux Pluggable Authentication Modules (PAM)—the libraries administrators use to configure how users authenticate. Sygnia says the attackers replaced legitimate “pam_unix.so” modules with backdoored versions that accept hardcoded passwords and harvest user credentials.
Sygnia identified nine distinct variants of the malicious PAM module, each compiled in a separate build environment, suggesting a well-resourced threat actor. The researchers say two of the malicious PAM modules stand out because they act as a backdoor only and also collect credentials.
Velvet Ant also replaced OpenSSH components—including “ssh,” “sshd,” and “scp”—with trojanized versions. These captured credentials, logged commands entered during SSH sessions, and stored the collected data locally for future retrieval.
By extending their control to PAM and OpenSSH, Sygnia says the threat actor could access credentials as they were used in the target environment and bypass the authentication flow.
“Administrative activity became fully observable: every login; every command executed across compromised hosts. Access was no longer tied to a specific foothold but embedded into the authentication process itself,” the researchers explain.
That design helped the attackers endure changes defenders typically rely on. Sygnia says the hackers ensured persistence despite password changes and session terminations, while reducing the effectiveness of conventional containment measures.
Even after discovery, Sygnia says cleanup was a struggle. The attackers had replaced so many critical components with custom versions that removing them risked breaking authentication—locking legitimate administrators out and causing operational outages.
To address that, Sygnia built a testing lab to validate the binary replacement process. Researchers profiled each host, tested outcomes, and prepared rollback procedures before attempting cleanup.
For defenders, Sygnia’s recommendations are blunt. Authentication components such as PAM, OpenSSH, and Windows LSASS should be treated as critical security assets. They should be protected with endpoint detection and response. file integrity monitoring. hardened privileged access. multi-factor authentication (MFA). and continuous monitoring for unauthorized modifications.
Sygnia also urges planning for offline recovery. That includes strict backups with an adequate schedule for automatically creating snapshot copies using immutable storage. Restoration should involve testing backups and recovery hosts on operating systems validated for use, along with recovery scripts.
In Operation Highland, the most chilling detail isn’t simply that Velvet Ant got in. It’s that it stayed by quietly taking over the part of the system designed to say “who gets in”—turning authentication into surveillance for 10 years.
Operation Highland Velvet Ant cyberespionage authentication hijack PAM OpenSSH SOCKS5 proxy Nginx fcgiwrap GS-Netcat air-gapped network credential theft Linux
So they just hijacked the login??
Air-gapped sounds like it should be safe, but apparently it’s not. If they can still “spy for a decade,” what even is the point of security updates anymore?
Wait, I thought air-gapped means no internet, so how did “authentication” get hijacked? Like did someone plug in a USB or something? Also Velvet Ant sounds like a malware nickname from a movie, idk.
This is why I don’t trust login systems. If it’s Chinese hackers doing it then blame should be on whoever made the software, not the “network people” who just work there. And “F5 BIG-IP” sounds like a phone app or something, so I’m confused why that’s the target. Ten years is insane though, like how did nobody notice the weird admin stuff?