Over a span of 10 years, Chinese hackers successfully breached an organization’s authentication stack, allowing them full visibility into administrative activities.
Known as “Operation Highland,” this cyber intrusion was orchestrated by the Velvet Ant cyberespionage group, targeting vulnerable internet-facing systems before infiltrating a network without direct external access.
The “Velvet Ant” hackers infiltrated a large organization’s isolated critical infrastructure network, conducting covert cyber-espionage operations for a decade.
Referred to as “Operation Highland” by Sygnia researchers who uncovered the breach in 2016, the hackers initially targeted exposed internet systems before infiltrating an “air-gapped” environment with no direct internet connectivity.
In 2024, Sygnia disclosed Velvet Ant’s espionage activities, particularly targeting F5 BIG-IP devices, which had remained undetected for three years. Additionally, Cisco warned of a zero-day vulnerability in NX-OS on Nexus switches, exploited by Velvet Ant for unauthorized access.
The attack commenced with compromising internet-facing servers, utilizing a modified GS-Netcat reverse shell disguised as a legitimate component to establish encrypted remote shell access to a hardcoded relay domain.
Velvet Ant ensured persistence through a malicious systemd service or startup script modification, subsequently installing a custom SOCKS5 proxy for network traffic tunneling to reach internal systems not directly accessible from the internet.
The hackers established a remote execution path into the isolated network by modifying Nginx server configurations, enabling access to critical infrastructure systems through specially crafted requests and FastCGI processes for remote execution.
By tampering with Linux Pluggable Authentication Modules (PAM) and OpenSSH components, Velvet Ant gained long-term persistence and harvested credentials, circumventing authentication flows and monitoring all administrative activity within compromised hosts.
“By chaining these modifications, Velvet Ant established a remote-execution path into the segregated environment via simple HTTP requests, with no direct connection to the critical infrastructure network ever required.” – Sygnia
Velvet Ant’s complex cleanup process involved replacing critical components with custom versions, posing challenges for remediation without disrupting authentication processes or causing operational outages.
Recommendations from Sygnia include treating authentication components as critical security assets, implementing EDR, file integrity monitoring, multi-factor authentication (MFA), and continuous monitoring to safeguard against unauthorized modifications.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
