Chinese Hackers Exploit Authentication Flaws to Spy on Isolated Networks for a Decade

Post Views: 11

Chinese hackers compromised the authentication process of a target organization’s systems, maintaining covert access to an air-gapped network for a decade.

Operation Highland: A Decade-Long Cyber Espionage Campaign

Researchers from Sygnia identified the campaign, naming it Operation Highland, which began in 2016 and persisted until at least 2026. The intrusion, attributed to the Velvet Ant cyberespionage group, involved manipulating authentication mechanisms to achieve long-term surveillance of administrative activities.

Initial Exploitation and Transition to Air-Gapped Network

The attack chain started with the compromise of servers exposed to the internet, though specific vulnerabilities or products were not disclosed. Attackers transitioned to a physically isolated network with no direct external connectivity, leveraging a custom SOCKS5 proxy configured to operate as a daemon masquerading as smbd -D.

Tools and Techniques Used

Attackers deployed a modified version of GS-Netcat, a reverse shell tool, disguised as a legitimate system component. This tool connected to a hardcoded relay domain, enabling encrypted remote access. Persistence was achieved through either a malicious systemd service or modifications to startup scripts.

Subverting Linux PAM and OpenSSH

The attackers subverted Linux Pluggable Authentication Modules (PAM) by replacing legitimate pam_unix.so modules with backdoored variants. Nine distinct PAM module variants were identified, with two functioning as credential harvesters. OpenSSH components, including ssh, sshd, and scp, were also tampered with, capturing credentials and logging SSH session commands.

Challenges in Remediation

Remediating the breach proved complex due to the extensive replacement of critical system components. Removing malicious binaries risked disrupting authentication workflows, prompting Sygnia to develop a testing environment for validation and rollback plans.

Recommendations for Organizations

The report highlights the importance of securing authentication infrastructure through endpoint detection and response (EDR) tools, file integrity monitoring, and multi-factor authentication (MFA). Organizations are advised to maintain offline backups with immutable snapshots and validate recovery processes to mitigate similar threats.

Defenders must prioritize monitoring for unauthorized modifications to critical system components and adopt proactive measures to detect and respond to such sophisticated intrusions.