"Administrative activity became fully observable: every login; every command executed across compromised hosts. Access was no longer tied to a specific foothold but embedded into the authentication process itself," Sygnia researchers wrote.
Operation Highland and Velvet Ant
Sygnia has attributed a long-running cyber-espionage campaign, dubbed "Operation Highland," to the Velvet Ant activity cluster. According to the researchers, Chinese-aligned actors from Velvet Ant breached the isolated critical infrastructure network of a large organization and maintained persistence for a decade, beginning in 2016. The group first targeted vulnerable internet-facing systems and then pivoted into an environment the researchers describe as "air-gapped" — a network with no direct external path.
From internet-facing servers to an "air-gapped" environment
The intrusion chain began with compromises of internet-facing servers, though Sygnia does not name the specific product or vulnerability used in the initial access. After gaining entry, Velvet Ant deployed a modified GS-Netcat reverse shell disguised as a legitimate system component that connected to a hardcoded relay domain and provided encrypted remote shell access. The shell achieved persistence through either a malicious systemd service or startup script modification.
The attackers then installed a custom SOCKS5 proxy to tunnel network traffic and reach internal systems that were not directly accessible from the internet. That proxy ran as a daemon masquerading as "smbd -D," used different filenames and ports per host, and turned compromised servers into internal pivot points.
Sygnia documents a remote execution path into the isolated network built by chaining web server configurations: a compromised internet-facing Nginx was altered to proxy specially crafted requests to a compromised backend server; that backend's Nginx was changed to forward to a FastCGI process (fcgiwrap); and the FastCGI wrapper launched a custom binary named "uptime." That tool accepted parameters supplied in HTTP POST requests and established SSH connections to systems within the isolated critical infrastructure network.
Sygnia places this campaign in context with prior Velvet Ant activity disclosed in 2024: a campaign targeting F5 BIG-IP devices that operated undetected for three years, and exploitation of a Cisco NX-OS zero-day in Nexus switches.
Breaking authentication: PAM and OpenSSH trojans
Once inside the isolated environment, Velvet Ant shifted to long-term persistence and credential theft by attacking the authentication stack. The attackers replaced legitimate Linux Pluggable Authentication Modules (PAM) — specifically pam_unix.so — with backdoored versions that accepted hardcoded passwords and harvested user credentials. Sygnia identified nine distinct variants of the malicious PAM module, each compiled in a separate build environment, and notes two variants that specifically acted as a backdoor and as credential collectors.
Velvet Ant also trojanized OpenSSH components — including ssh, sshd, and scp — to capture credentials, log commands entered during SSH sessions, and store collected data locally for later retrieval. By embedding malicious code into PAM and OpenSSH, the researchers say, the attackers ensured they could observe every administrative action and persist despite password changes or session terminations, undermining "the effectiveness of conventional containment measures."
Why removal was so hard — and how Sygnia responded
Sygnia reports remediation and removal proved particularly complicated because so many critical authentication components had been replaced. Removing those binaries without care risked breaking authentication, locking legitimate administrators out, and causing operational outages. To mitigate that risk, Sygnia built a testing lab to validate the binary replacement process, profiled each host, tested the results, and prepared rollback procedures before attempting cleanup.
Based on that experience, Sygnia recommends treating authentication components such as PAM, OpenSSH, and Windows LSASS as critical security assets. The firm advises protecting them with endpoint detection and response (EDR), file integrity monitoring, hardened privileged access, multi-factor authentication (MFA), and continuous monitoring for unauthorized modifications. Organizations should also plan for offline recovery with strict backup schedules that create immutable snapshots, and should validate backups and recovery hosts running verified operating systems along with recovery scripts.
What this means for technologists, policymakers, and procurement leaders
- Technologists and security teams: Sygnia's findings underscore the need to monitor authentication components and to apply protections such as EDR, file integrity monitoring, hardened privileged access, and MFA. The firm’s remediation steps — testing labs, host profiling, and rollback planning — show that cleanup of authentication-layer compromises requires methodical, pre-planned procedures.
- Policymakers and regulators: The campaign highlights that attacks can embed in authentication flows and survive standard containment; regulators concerned with critical infrastructure resilience may focus oversight on authentication protection, offline recovery planning, and vendor patching for internet-facing systems.
- Procurement and enterprise leaders: Velvet Ant's use of compromised internet-facing infrastructure and prior campaigns involving F5 BIG-IP and Cisco NX-OS zero-days point to the importance of vendor patching, supply-chain vigilance, and contractual requirements for security updates and incident response support.
Operation Highland illustrates a stark lesson: when an adversary moves from a foothold into the authentication layer itself, detection, containment, and recovery become technical and organizational problems at once. Sygnia's playbook — laboratory validation, per-host profiling, and rollback-ready remediation — is a concrete model for any organization that still treats authentication components as an afterthought rather than a critical security asset.
