Chinese hackers hijack auth flow, spy on isolated network for a decade
Chinese hackers from the Velvet Ant group compromised a target organization's authentication infrastructure and maintained persistent access for a decade. They initially breached internet-facing systems, then pivoted into an isolated, air-gapped critical infrastructure network using a complex chain involving modified Nginx servers and a FastCGI process. The attackers replaced critical authentication components such as PAM modules and OpenSSH binaries with backdoored versions that harvested credentials and allowed bypassing authentication. This gave them full visibility into administrative activity and persistent access despite password changes. Remediation is complex due to the extensive replacement of core authentication binaries, requiring careful testing and rollback procedures.
AI Analysis
Technical Summary
The threat, dubbed Operation Highland, involved the Velvet Ant cyberespionage group compromising internet-facing servers and establishing a remote execution path into an isolated critical infrastructure network without direct internet connectivity. They used a modified GS-Netcat reverse shell and a custom SOCKS5 proxy for internal pivoting. By altering Nginx configurations and leveraging a FastCGI wrapper, they executed commands inside the segregated environment. The attackers replaced legitimate Linux PAM modules and OpenSSH components with trojanized versions that accepted hardcoded passwords, harvested credentials, logged SSH commands, and stored data locally. This manipulation of the authentication stack allowed persistent access and full observability of administrative actions over a ten-year period. Cleanup is difficult due to the deep integration of malicious components into authentication processes.
Potential Impact
The attackers gained persistent, undetectable access to an isolated critical infrastructure network for ten years, with full visibility into all administrative logins and commands. They could bypass authentication controls and maintain access despite password changes and session terminations. This compromises the confidentiality and integrity of administrative credentials and activities, severely undermining network security and operational trust. The complexity of the compromise makes remediation challenging and risks operational outages if not carefully managed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Sygnia researchers recommend treating authentication components such as PAM, OpenSSH, and Windows LSASS as critical security assets. Defenders should protect these with endpoint detection and response (EDR), file integrity monitoring, hardened privileged access, multi-factor authentication (MFA), and continuous monitoring for unauthorized modifications. Organizations should plan for offline recovery with strict, immutable backups and test restoration procedures thoroughly before attempting cleanup. Due to the complexity of the compromise, remediation requires validated rollback procedures and testing in isolated environments to avoid operational disruptions.
Chinese hackers hijack auth flow, spy on isolated network for a decade
Description
Chinese hackers from the Velvet Ant group compromised a target organization's authentication infrastructure and maintained persistent access for a decade. They initially breached internet-facing systems, then pivoted into an isolated, air-gapped critical infrastructure network using a complex chain involving modified Nginx servers and a FastCGI process. The attackers replaced critical authentication components such as PAM modules and OpenSSH binaries with backdoored versions that harvested credentials and allowed bypassing authentication. This gave them full visibility into administrative activity and persistent access despite password changes. Remediation is complex due to the extensive replacement of core authentication binaries, requiring careful testing and rollback procedures.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat, dubbed Operation Highland, involved the Velvet Ant cyberespionage group compromising internet-facing servers and establishing a remote execution path into an isolated critical infrastructure network without direct internet connectivity. They used a modified GS-Netcat reverse shell and a custom SOCKS5 proxy for internal pivoting. By altering Nginx configurations and leveraging a FastCGI wrapper, they executed commands inside the segregated environment. The attackers replaced legitimate Linux PAM modules and OpenSSH components with trojanized versions that accepted hardcoded passwords, harvested credentials, logged SSH commands, and stored data locally. This manipulation of the authentication stack allowed persistent access and full observability of administrative actions over a ten-year period. Cleanup is difficult due to the deep integration of malicious components into authentication processes.
Potential Impact
The attackers gained persistent, undetectable access to an isolated critical infrastructure network for ten years, with full visibility into all administrative logins and commands. They could bypass authentication controls and maintain access despite password changes and session terminations. This compromises the confidentiality and integrity of administrative credentials and activities, severely undermining network security and operational trust. The complexity of the compromise makes remediation challenging and risks operational outages if not carefully managed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Sygnia researchers recommend treating authentication components such as PAM, OpenSSH, and Windows LSASS as critical security assets. Defenders should protect these with endpoint detection and response (EDR), file integrity monitoring, hardened privileged access, multi-factor authentication (MFA), and continuous monitoring for unauthorized modifications. Organizations should plan for offline recovery with strict, immutable backups and test restoration procedures thoroughly before attempting cleanup. Due to the complexity of the compromise, remediation requires validated rollback procedures and testing in isolated environments to avoid operational disruptions.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/chinese-hackers-hijack-auth-flow-spy-on-isolated-network-for-a-decade/","fetched":true,"fetchedAt":"2026-06-14T10:44:39.051Z","wordCount":1129}
Threat ID: 6a2e861fe617e2d834675e9f
Added to database: 6/14/2026, 10:44:47 AM
Last enriched: 6/14/2026, 10:44:54 AM
Last updated: 6/14/2026, 2:50:12 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.