Velvet Ant’s Operation Highland: A Decade Inside Critical Infrastructure

A China-nexus threat group known as Velvet Ant hid inside one organization’s network for nearly a decade. Sygnia’s incident response team uncovered the campaign and named it Operation Highland. Notably, the most sensitive segment had no direct internet connection. Even so, the attackers still reached it.

A Decade of Silent Access

Forensic artifacts trace the earliest activity back to 2016. Therefore, the group hid for almost ten years. According to Sygnia, this “is not an isolated campaign.” The same actor had earlier abused F5 BIG-IP appliances. It also exploited CVE-2024-20399, a Cisco NX-OS zero-day, to plant the VELVETSHELL backdoor on Nexus switches.

Across these cases, one pattern stands out. When defenders close in, Velvet Ant pivots to quieter infrastructure. Then it rebuilds persistence from a fresh position.

Three Stages Into an Isolated Network

The attackers avoided phishing and brute force. Instead, they engineered a deliberate, multi-stage access chain. First, they planted persistence on internet-facing servers. Next, they moved through the IT network. Finally, they reached the segregated critical infrastructure segment.

Tools Built for Cover

On exposed servers, the group deployed a modified GS-Netcat reverse shell. They renamed the binary “auditdb” and hid it in /usr/sbin/. To slip past analysts, it even disguised itself as the kernel thread “[khubd]”. For persistence, the malware abused systemd unit files on newer hosts and SysVinit scripts on older ones. Additionally, a Perl SOCKS5 proxy posed as “smbd -D” while routing traffic. Each sample used a unique filename, process name, and port. As a result, defenders struggled to link the activity across hosts.

A Bridge Across the Air Gap

Reaching the isolated zone took clever engineering. Velvet Ant abused Nginx and FastCGI to chain requests through compromised web servers. Consequently, a custom tool opened SSH sessions into the protected network. Sygnia says this worked “via simple HTTP requests,” with no direct connection ever required.

Hijacking the Authentication Stack

The real prize was authentication itself. The attackers replaced legitimate pam_unix.so modules with backdoored versions. Some simply accepted a hardcoded password for instant access. Others also logged failed credentials to a hidden file at /usr/sbin/.ssh.log. Furthermore, investigators identified nine distinct variants. Each one was compiled in a separate build environment, which points to a well-resourced operation.

PAM sits below the application layer. So a single poisoned module affects every service that trusts it. Crucially, this persistence survived password resets and session terminations. That fact blunted normal containment steps.

Trojanized OpenSSH Binaries

The group also tampered with ssh, sshd, and scp. These binaries captured logins and stored encrypted credentials on disk. They also logged every command typed during a session. Moreover, the modified scp could disable SELinux and hide its own process. The attackers then timestomped their files to erase forensic timelines. They even appended their own keys to authorized_keys for a backup route in. One custom flag, meanwhile, let them switch off their own logging. Sygnia calls this restraint “a hallmark of high OpSec discipline.”

Why Cleanup Was So Dangerous

Eradication carried unusual risk. After all, the attackers had altered the exact tools admins rely on to log in. A single wrong binary could lock everyone out of a host. Because many systems had no internet access, teams could not simply pull trusted packages. Several Linux distributions and versions complicated matters even more. A fix that was safe on one host could break another.

To control the danger, the responders built a dedicated test lab. They profiled each host and matched it to the correct replacement. Then they validated SSH and authentication health right after every fix. You can read the complete forensic breakdown in Sygnia’s Operation Highland report.

The Bigger Lesson

Operation Highland shows that isolation alone is not security. Once the login layer falls, segmentation offers little protection. Therefore, defenders should treat PAM and OpenSSH as critical assets. They should baseline these binaries and check them against known-good hashes. Above all, they must watch the authentication stack for quiet, unauthorized changes.