A China-linked cyber threat group known as Velvet Ant has successfully executed a prolonged infiltration within a significant organization’s network, remaining undetected for almost a decade. This operation, dubbed Operation Highland, showcases a level of strategic patience and technical proficiency rarely documented in public cyber intrusions.
Operation Highland: A Decade of Undetected Presence
Velvet Ant’s campaign is notable not only for the extent of the breach but also for the duration of their covert presence in a network disconnected from the internet. Unlike typical cyberattacks that rely on phishing or brute-force tactics, Velvet Ant employed a meticulously crafted, multi-stage access strategy. This approach involved transitioning from internet-exposed systems to a securely isolated critical infrastructure.
The group utilized publicly available tools, skillfully modifying them to resemble normal network activity, which rendered conventional security measures ineffective. According to a report by Sygnia, forensic evidence dates back to 2017, indicating nearly ten years of undetected intrusion.
Technical Tactics and Network Infiltration
Velvet Ant’s operation involved sophisticated techniques to bypass detection and maintain persistence within the target network. The attackers exploited the Pluggable Authentication Module (PAM) layer, a vital component in Linux systems responsible for authentication. By replacing legitimate PAM modules with compromised versions, they manipulated authentication processes to accept a hardcoded backdoor password or extract credentials from genuine authentication attempts.
Further complicating detection, Velvet Ant implemented measures to erase traces of their activity. The malicious library nullified the backdoor password in memory after use, and a custom flag disabled logging of their credentials and sessions, allowing the attackers to operate without leaving evidence.
Advanced Persistence Mechanisms
In addition to PAM manipulation, Velvet Ant deployed a modified GS-Netcat tool on outward-facing servers, allowing them to establish a reverse shell connection to a remote command-and-control server. The modified binary was strategically named to blend in with legitimate system processes.
To ensure continued access, the group adapted their methods according to the server’s operating system. On systems using systemd, they placed a malicious unit file disguised as a Chrome service, while on older SysVinit systems, they appended harmful execution lines to startup scripts. Public keys were also added to authorized_keys files for password-less server access.
Recommendations and Future Outlook
Sygnia advises organizations to view PAM, OpenSSH, and other privileged access paths as critical security components. Deploying endpoint detection and response (EDR) systems is crucial for enhanced visibility and detection. Organizations are encouraged to set up alerts for authentication or system file modifications and strengthen access controls.
It is essential to rotate credentials only after eliminating persistence threats to prevent locking administrators out of production systems. Any remediation involving authentication components should include rollback options and emergency access plans.
