Chinese hackers hijack the auth flow, spying on the isolated network for a decade
The Chinese hackers took control of the authentication stack of the target organization and maintained persistence for 10 years, with full visibility into the administrative work.
Dubbed “Operation Highland,” this intrusion is attributed to the Velvet Ant cyberespionage group, which targets vulnerable Internet-facing systems before entering a network with no direct external access.
Chinese hackers belonging to the “Velvet Ant” group of operations breached the classified network of a major corporation’s critical infrastructure and conducted cyber espionage operations for 10 years.
The campaign, called “Operation Highland” by the Sygnia researchers who discovered it, began in 2016, targeting vulnerable cyber-facing systems before moving to an “airy” area with no direct internet connection.
Velvet Ant’s long-term espionage activities were documented in 2024, when Sygnia warned of a campaign targeting F5 BIG-IP devices that ran undetected for three years.
And in 2024, Cisco warned of a zero-day in NX-OS using Nexus switches, which was exploited by Velvet Ant to gain access to targets.
Velvet Ant attack chain
The attack begins with the corruption of servers facing the Internet, although the researchers did not mention the specific product or any vulnerability used.
Velvet Ant released a modified GS-Netcat shell as an official part of a system connected to a hard-coded forwarding domain, providing encrypted remote shell access.
The shell acquired persistence either through a malicious system service or through modification of the startup script.
Source: Sygnia
Next, Velvet Ant installed a custom SOCKS5 proxy for tuning network traffic, allowing it to access internal systems that are not directly accessible from the Internet.
The proxy acted as a daemon impersonating ‘smbd -D,’ using different filenames and ports for each host, and turning the corrupted servers into internal pivot points.
Source: Sygnia
The most interesting part of the attack was creating a remote extraction method on an isolated network.
To achieve this, Velvet Ant modified the configuration of the vulnerable web-facing Nginx server to proxy specially crafted requests to the vulnerable back-end server.
The Nginx configuration of the back-end server was also changed to forward requests to a FastCGI process (fcgiwrap) listening in a different environment.
The FastCGI wrapper acted as an execution bridge, processing requests and launching a custom binary called the ‘runtime.’
The tool established SSH connections to systems within a distributed critical infrastructure network using parameters provided in HTTP POST requests.
“By combining these changes, Velvet Ant has created a way to remotely operate in a decentralized environment with simple HTTP requests, with no direct connection to the critical infrastructure network ever needed.” – Sygnia
After securing its access to an isolated environment, Velvet Ant shifted its focus to long-term persistence and credential theft by targeting Linux Pluggable Authentication Modules (PAM), a set of libraries that allow administrators to configure user authentication methods.
The attackers replaced the legitimate ‘pam_unix.so’ modules with back-end versions that accept hard-coded passwords and favor user credentials.
Sygnia has identified nine different variants of the malicious PAM module, each packaged in a different architecture, representing a well-equipped threat actor.
The researchers say that the two malicious PAM modules stand out for working only as a background and data-gatherer.
Velvet Ant actors also replaced OpenSSH components such as ssh, sshd, and scp with trojanized versions that captured information, entered commands entered during SSH sessions, and stored the collected data locally for future retrieval.
Sygnia says that by extending control over the authentication process by changing the PAM and OpenSSH components, a threat actor had access to the credentials as they were used on the target environment and could bypass the authentication flow.
“The control function became fully visible: every login; every command executed on all vulnerable hosts. Access was no longer tied to a specific location but embedded in the authentication process itself,” the researchers explain.
In this way, hackers ensure their persistence despite password changes and session terminations, and reduce the “effectiveness of common containment measures.”
Complex cleaning
Sygnia says that even after finding the compromise, fixing it and removing the Velvet Ant from the vulnerable area was very difficult.
Threat actors have replaced so many sensitive components with custom versions that removing them can break authentication, lock out legitimate administrators, and cause operational disruptions.
To address this problem, the researchers created a test lab to validate the binary exchange process, profile each host, evaluate the results, and prepare undo procedures before attempting to clean.
Sygnia recommends that defenders treat authentication components such as PAM, OpenSSH, and Windows LSASS as critical security assets and protect them with EDR, file integrity monitoring, strong privileged access, multi-factor authentication (MFA), and continuous monitoring of unauthorized modifications.
Organizations should plan for offline recovery, which includes robust backups with an adequate system for automatically creating snapshots with immutable copies.
The recovery process should pay attention to checking backups and recovery hosts using certified operating systems, and recovery documents.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
