China-Linked Velvet Ant Breaches an Isolated Network and Hides for 10 Years

The cybersecurity firm Sygnia has revealed one of the longest documented cyber-espionage campaigns, carried out by a China-linked threat group known as Velvet Ant, which lasted nearly ten years inside a critical infrastructure network without being detected. The campaign, which Sygnia named "Operation Highland," reveals how the attackers managed to reach an internal network isolated from the internet and remain there for years without triggering any alert, in one of the most patient and sophisticated intrusions on record.

Ten Years in the Shadows

According to the forensic investigation, the group's first activity dates back to 2016, precisely datable thanks to keystroke logs the attackers themselves stored, as each filename carried the timestamp of the corresponding session. The victim is a large organization whose name and sector Sygnia did not disclose, but the campaign targeted its critical infrastructure. Notably, the group was not new to Sygnia's researchers; it had previously been spotted in 2024 on F5 BIG-IP devices, then on Cisco Nexus switches via a zero-day vulnerability, and each time it moved to a less-monitored infrastructure to rebuild its presence once discovered.

How Did They Reach a Network With No Direct Internet Connection?

Here lies the most technically intriguing aspect. The targeted network was segregated and isolated with no direct internet connection, which is supposed to make it resistant to remote access. But Velvet Ant built a clever "execution bridge" to reach it through simple HTTP requests alone.

The entry point was a web server running Nginx and exposed to the internet. The attackers modified its configuration to proxy any incoming request to a specific address through to the same backend server. The backend server was itself compromised, with its Nginx configuration modified to forward requests to a FastCGI process (using the fcgiwrap tool) listening on a separate port. This wrapper acted as an execution bridge: it processed the request, then ran an executable file, and returned its output to the attacker via Nginx.

The executable, which bore an innocuous disguised name (uptime), was a custom tool that established an SSH connection to a server within the critical infrastructure network, based on parameters sent within the request. By chaining these modifications together, Velvet Ant established a remote-execution path into the segregated environment through ordinary HTTP requests, without ever needing a direct connection to the critical network. That is, the requests slipped through seemingly legitimate web layers until they reached the heart of the protected network.

Hijacking the Authentication Mechanism

The attackers did not stop there, but penetrated deep into the authentication system. They replaced components of the PAM system (Pluggable Authentication Modules) and OpenSSH components with backdoored versions. Since PAM sits below the application layer, compromising it transparently affects every service that relies on it without producing any noticeable anomaly. They also modified the ssh, sshd, and scp tools to log credentials, commands, and keystrokes, encrypted in files whose timestamps were forged to blend in with system files.

The tool showed a high degree of operational caution: in one version, the attackers added an undocumented flag (-d) that, when activated by the operators during their own sessions, meant their credentials and keystrokes were not logged — that is, they exempted themselves from the surveillance they imposed on the victim. An older version of the SSH kit even contained a "rotating" backdoor mechanism: seven different MD5 hashes, one for each day of the week, determined which password would grant access on that day.

What Does This Incident Reveal?

The most important lesson is that "isolation" from the internet is not absolute immunity. A segregated network may remain penetrable if there is an indirect path, such as a compromised intermediary server linking the two worlds. The incident also highlights the danger of targeting deep authentication layers like PAM and OpenSSH, which the entire system implicitly trusts, and the difficulty of detecting a threat that waits years and avoids the noisy lateral movement at which most intrusions are caught.

How Do You Protect Your Organization?

Response principles recommend a multi-layered approach. First, not relying on network isolation alone, but imposing continuous monitoring on internet-facing intermediary servers and auditing their configurations (such as Nginx) for unauthorized forwarding. Second, monitoring the integrity of sensitive authentication system files (PAM and OpenSSH components) and alerting on any modification to them. Third, conducting periodic, systematic threat-hunting operations rather than waiting for alerts, because patient adversaries do not trigger them. Finally, applying strict controls on traffic between isolated segments and others, and treating every unnecessary communication path as a potential risk.

Conclusion

"Operation Highland" is a disturbing model of the patience of advanced persistent threats and their ability to remain for years at the heart of critical infrastructure. The lesson is not in the complexity of the tools alone, but in the philosophy: a quiet intrusion, self-exemption from surveillance, and exploitation of the implicit trust in the system's deep layers. It is a stark reminder that real defense is not built on assuming isolation is enough, but on continuous monitoring and methodical skepticism even in the corners thought to be safest.