AnswersPublished13 hours agoLast edited 13 hours ago18 sources

Inside Operation Highland: How Velvet Ant Hid in the Linux Login for a Decade

Sygnia's Operation Highland investigation found that the China nexus group Velvet Ant remained hidden inside a sensitive, air gapped network for close to a decade by replacing Linux pam unix.so modules and OpenSSH bin... Standard incident response measures such as removing files, killing processes, and rotating pass...

Search & fact-check with Studio Global AI Browse more Trending pages

1010

Abstract visualization of Linux authentication stack being backdoored by Velvet Ant's Operation Highland campaign — What did Sygnia's forensic investigation of "Operation Highland" reveal about how the China-linked threat group Velvet Ant compromised and mVelvet Ant’s Operation Highland campaign subverted the Linux login system itself — replacing core authentication binaries to maintain access for nearly a decade. Image generated by AI.
AI Prompt
Create a landscape editorial hero image for this Studio Global article: What did Sygnia's forensic investigation of "Operation Highland" reveal about how the China-linked threat group Velvet Ant compromised and m. Article summary: ## Sygnia's "Operation Highland" Findings on Velvet Ant. Topic tags: general, general web, user generated. Reference image context from search candidates: Reference image 1: visual subject "Discover the detailed forensic investigation by Sygnia into the sophisticated cyber attack by Velvet Ant on a major organization. The investigation confirmed the threat actor maint" source context "China-Nexus Threat Group 'Velvet Ant' Abuses F5 Load Balancers ..." Reference image 2: visual subject "Velvet Ant Activity Detection: China-Backed Cyber-Espionage Group Launches a Prolonged Attack Using Malware Deployed on the F5 BIG-IP Devices. The China-linked cyber-espionage gr
openai.com

Israel-based incident response firm Sygnia has published findings from an investigation dubbed Operation Highland that exposes one of the most disciplined and long-running cyber espionage campaigns in recent memory. The activity is attributed with high confidence to a China-nexus threat group Sygnia tracks as Velvet Ant. The operation is defined not by a single novel zero-day, but by a relentlessly simple idea: live inside the software that decides who gets to log in.

The Decade-Long Intrusion, Step by Step

The victim network had no direct internet connection and housed highly sensitive systems. Sygnia’s forensic timeline indicates the attackers gained a foothold at least as far back as 2016, giving the group close to a ten-year dwell time inside the environment .

Initial entry point. The breach likely began through an internet-facing, unpatched legacy F5 BIG-IP appliance that the organization had not retired. Once the attackers had control of the appliance, they used it as a pivot point to move deeper — eventually reaching the air-gapped internal segment .

How the Backdoor Worked

Instead of dropping custom malware that file scanners or endpoint detection might eventually flag, Velvet Ant subverted the operating system's own trust architecture. Across dozens of hosts, the group systematically replaced core Linux authentication components — specifically the pluggable authentication module and multiple OpenSSH binaries — with trojanized versions .

Studio Global AI

Search, cite, and publish your own answer

Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.

Operational Pattern	Observed Behavior
Network-edge initial access	Exploits unpatched enterprise appliances — notably F5 BIG-IP and Cisco Nexus switches — that are exposed to the internet as bridgeheads into internal networks .
Authentication subversion as primary implant	Avoids deploying conventional remote access trojans (RATs) on endpoints and instead replaces the components that validate user logins across the Linux fleet .
Redundant persistence mesh	Maintains multiple footholds across different network segments so that the loss of one access point — or even one entire appliance — does not terminate the operation .
Living-off-the-land	Moves laterally using stolen credentials and standard administrative tools such as SSH, leaving minimal custom malware signatures for detection tools to find .
Industrial-scale credential harvesting	Captures plain-text passwords from every successful login across the network, steadily accumulating valid identities with no additional network noise .
Extreme dwell time	Operates over years rather than days or weeks. This low-and-slow tempo means short log-retention windows and routine system maintenance can erase forensic evidence .

Inside Operation Highland: How Velvet Ant Hid in the Linux Login for a Decade

The Decade-Long Intrusion, Step by Step

How the Backdoor Worked

Search, cite, and publish your own answer

People also ask

What is the short answer to "Inside Operation Highland: How Velvet Ant Hid in the Linux Login for a Decade"?

What are the key points to validate first?

What should I do next in practice?

Sources

Comments

Why Standard Cleanup Failed

The Tradecraft Pattern

Attribution and Related Activity

What Defenders Should Do Now