A decade-long intrusion into an air-gapped critical infrastructure network, uncovered by Sygnia researchers under the label "Operation Highland," illustrates how a well-resourced threat actor can reduce conventional containment measures to near irrelevance once it controls the authentication layer.
The campaign, attributed to the Chinese cyberespionage cluster known as Velvet Ant, began in 2016. Entry points were internet-facing servers, though Sygnia has not disclosed the specific products or vulnerabilities involved. On those perimeter hosts, the attackers deployed a modified GS-Netcat reverse shell disguised as a legitimate system component, connecting back to a hardcoded relay domain over an encrypted channel. The shell maintained persistence by either installing a malicious systemd service or altering startup scripts.
A custom SOCKS5 proxy, masquerading as the process smbd -D and using varying filenames and ports across different hosts, turned each compromised server into a pivot point for reaching systems further inside the network.
Background: Velvet Ant has appeared in prior Sygnia reporting, most notably a 2024 campaign targeting F5 BIG-IP appliances that ran undetected for three years. Cisco also flagged the group that year for exploiting a zero-day in NX-OS on Nexus switches.
The more technically notable step was bridging into the isolated environment without establishing a persistent direct tunnel. Velvet Ant altered the configuration of a compromised internet-facing Nginx server so it would forward specially crafted HTTP requests to a backend server, whose own Nginx configuration was modified to pass those requests to a FastCGI process. That process launched a custom binary named uptime, which in turn opened SSH connections into the segregated network using parameters supplied in the incoming POST requests. The chain meant the restricted network could be reached via ordinary HTTP traffic, with no standing connection between the public internet and the isolated segment.
Once inside, the group shifted toward durable persistence. Legitimate pam_unix.so modules were swapped for backdoored versions that both accepted hardcoded passwords and captured credentials as legitimate users authenticated. Sygnia identified nine distinct compiled variants of the malicious module, with two functionally separate types — one acting purely as a backdoor and the other focused on credential harvesting — pointing to separate build environments and considerable resourcing. SSH binaries, including ssh, sshd, and scp, were replaced with trojanized counterparts that logged commands and exfiltrated session data for later retrieval.
With PAM and OpenSSH under attacker control, every administrative login and command across affected hosts was visible to Velvet Ant. Credential changes by defenders provided no relief because the attackers intercepted credentials at the point of use rather than relying on stored secrets tied to a single foothold.
Remediation proved as complex as the intrusion itself. So many core binaries had been replaced that removing them without first validating substitutes risked locking administrators out or triggering operational failures. Sygnia constructed a dedicated test laboratory to profile each host, validate replacement binaries, and prepare rollback procedures before touching production systems.
For professionals: Sygnia recommends treating PAM, OpenSSH, and Windows LSASS as critical security assets subject to EDR coverage, file integrity monitoring, and MFA-protected privileged access. Offline recovery planning — including immutable snapshot schedules and pre-validated OS images for recovery hosts — is advised given the difficulty of remediating compromised authentication stacks in live environments. Defenders should also audit Nginx and FastCGI configurations on internet-facing servers for unexpected proxy or execution rules that could serve as execution bridges.
The operation underscores that network segmentation, while valuable, does not substitute for integrity controls on the software handling authentication. An isolated network whose authentication stack has been replaced effectively grants persistent, credential-independent access to whoever controls those components.
Automated pipeline · Security
Synthesized from 1 industry feed on 13 Jun 2026. First draft failed editor review; a revised version was approved before publication. Style guide v1.1.
Sources
Decision trail
- Checking for duplicates — New story Chinese hackers maintained authentication stack compromise for a decade with admin visibility.
- Writing the article — Draft created article_id=7 slug=velvet-ant-maintained-decade-long-foothold-by-subverting-authentication-stack
-
Editor review — Rejected
- Quote integrity: Material issue. The blockquote attributed to Sygnia — 'Administrative activity became fully observable: every login
- every command executed across compromised hosts. Access was no longer tied to a specific foothold but embedded into the authentication process itself.' — is presented with an em-dash attribution line as though it is a verbatim source quote. The source text shows this as indirect reported speech ('the researchers explain'), not a direct quotation set off with quotation marks in the source. The style guide states the quote block is ONLY for a verbatim quote that appears word-for-word in the source material. The source does use quotation marks around this passage, so the wording is verbatim
- however, the attribution format ('— Sygnia') does not follow the required format of attributing to a named person and outlet. The style guide requires attribution to 'the named person and outlet.' Attributing to an organisation rather than a named individual violates the rule. This is a borderline material issue.
- Factual grounding — GS-Netcat persistence mechanism: Minor. The draft omits that the GS-Netcat shell achieved persistence via a malicious systemd service or startup script modification, which is a specific technical detail in the source. The draft simply says it was 'disguised as a system component' without noting the persistence mechanism. This is an omission rather than an invention, so minor.
- Factual grounding — 'uptime' binary name: Minor. The source specifically names the custom binary executed via the FastCGI wrapper as 'uptime.' The draft omits this name, referring only to 'a custom binary.' Not an invented fact, but a loss of specificity.
- Factual grounding — hardcoded relay domain for GS-Netcat: Minor. The source states the GS-Netcat shell 'connected to a hardcoded relay domain.' The draft omits this detail, describing it only as a 'reverse shell.' Minor omission.
- Factual grounding — PAM module distinction: Minor. The source notes that two of the nine malicious PAM modules stood out for acting as a backdoor only versus collecting credentials. The draft does not distinguish between the two functional types. Minor omission.
- Style compliance — word count: Minor. The body text (excluding the Sources section) is approximately 730-750 words, which approaches or reaches the hard maximum of 750 words. The style guide sets a hard maximum of 750 words.
- Style compliance — Sources section completeness: Minor. Only one source (BleepingComputer) is listed. The style guide requires linking every source article provided. Only one source text was provided, so this is compliant, but editors should confirm no additional sources were supplied.
- No copied phrasing — 'a chain that required no persistent tunnel directly into the restricted network': Minor. The source states 'with no direct connection to the critical infrastructure network ever required.' The draft's phrasing 'required no persistent tunnel directly into the restricted network' restructures the idea adequately, though remains close in concept. Borderline but acceptable paraphrase.
- Quote block attribution format: Material. Per style guide, quote blocks must be attributed to 'the named person and outlet.' The draft attributes the quote solely to 'Sygnia' (an organisation) with no named individual. The style guide rule is explicit: 'always attributed to the named person and outlet.' No named researcher is given in the source, but the style guide's absolute rule cannot be satisfied here — the quote block should therefore be omitted and replaced with a paraphrase, or the source's indirect-speech framing should be retained.
- Writing the article — Rewritten editor-driven rewrite
-
Editor review — Approved
- Factual grounding — nine variants interpretation: The article states 'nine distinct compiled variants... with two functionally separate types — one acting purely as a backdoor and the other focused on credential harvesting — pointing to separate build environments.' The source says 'nine distinct variants of the malicious PAM module, each compiled in a separate build environment' and separately that two stand out for their distinct functions. The article's inference that the two types point to 'separate build environments' conflates two separate source statements
- the source attributes separate build environments to all nine variants, not specifically to the two functional types. Minor misrepresentation but potentially misleading. Classified as minor.
- Quote integrity — blockquote not used: No blockquote with a verbatim quote is present in the article (the Background and For professionals blocks are callouts, not quote blocks). This is compliant with the style guide. No issue.
- Factual grounding — 'immutable snapshot schedules': The source says 'strict backups with an adequate schedule for automatically creating snapshots with immutable copies.' The article renders this as 'immutable snapshot schedules,' which is a reasonable paraphrase. Minor.
- No copied phrasing — 'reducing conventional containment measures to near irrelevance': The standfirst and body echo the source phrase 'reduced the effectiveness of conventional containment measures' fairly closely in concept, though the wording is changed. The standfirst's 'reduce conventional containment measures to near irrelevance' is a close paraphrase of the source's quoted researcher language. Minor style issue.
- Factual grounding — single source: Only one source is listed and used. The style guide says to synthesize from ALL provided sources, but only one source was provided, so this is not a violation. No issue.
- Style compliance — word count: Body text appears to be approximately 700-730 words, which exceeds the 620-word target and approaches the 750-word hard maximum. This is a minor style compliance issue but does not reach the hard cap.
- Assigning hero image — Pexels pexels_id=2881233
- Linking related stories — Linked 0 relations from 0 candidates
- Linking related stories — Linked 0 relations from 0 candidates
- Linking related stories — Linked 0 relations from 4 candidates
- Linking related stories — Linked 0 relations from 4 candidates
- Publishing — Published velvet-ant-maintained-decade-long-foothold-by-subverting-authentication-stack
Discussion · coming soon
Be the first to join the thread when community discussion launches.