Chinese Hackers Hid Inside Isolated Network for 10 Years

Key Takeaways

• Chinese threat group Velvet Ant maintained undetected access to an isolated critical infrastructure network for a full decade
• Attackers hijacked authentication by modifying PAM and SSH binaries, letting them bypass security and capture credentials
• The intrusion chain used disguised reverse shells, SOCKS5 proxies, and chained Nginx configurations to reach air-gapped systems

A Decade of Invisible Access

Security firm Sygnia has published findings on what it calls Operation Highland. A Chinese cyberespionage group known as Velvet Ant compromised a large organization's internal network in 2016 and stayed hidden until researchers discovered the intrusion in 2026.

The target network had no direct internet connection. It was air-gapped, the kind of setup organizations use for their most sensitive systems. Velvet Ant got in anyway.

The attackers started by compromising internet-facing servers. Sygnia did not disclose the specific product or vulnerability used in the initial breach. From there, Velvet Ant pivoted inward, chaining together custom tools and configuration changes until they reached systems that were supposed to be unreachable.

How the Attack Chain Worked

Velvet Ant's intrusion followed a methodical pattern. Each step gave the attackers deeper access while avoiding detection.

First, the group deployed a modified version of GS-Netcat, an open-source reverse shell tool. They disguised it as a legitimate system component and hardcoded a relay domain for command and control. The shell provided encrypted remote access. Persistence came through either a malicious systemd service or modifications to startup scripts.

Next came network tunneling. The attackers installed a custom SOCKS5 proxy that let them route traffic to internal systems not directly accessible from the internet. The proxy ran as a daemon, masquerading as 'smbd -D' (the Samba daemon). They used different filenames and ports on each compromised host, turning those servers into pivot points for lateral movement.

Reaching the Air-Gapped Network

The most sophisticated part of Operation Highland was building a remote execution path into the isolated network. This required chaining multiple configuration changes across compromised systems.

Velvet Ant modified the configuration of a compromised Nginx server facing the internet. They set it up to proxy specially crafted HTTP requests to a backend server they also controlled. That backend server had its own Nginx configuration altered to forward requests to a FastCGI process called fcgiwrap, listening on a separate port.

The FastCGI wrapper served as an execution bridge. It processed incoming requests and launched a custom binary named 'uptime.' This tool established SSH connections to systems inside the isolated critical infrastructure network using parameters supplied in HTTP POST requests.

In plain terms: the attackers built a tunnel from the public internet, through multiple compromised servers, into a network that was supposed to have zero external connectivity.

Owning the Authentication Stack

Beyond the network access, Velvet Ant targeted the trust layer of the operating system itself. They modified core Linux system files including PAM (Pluggable Authentication Modules) and SSH binaries.

These modifications gave the attackers two capabilities. They could bypass authentication entirely, logging into systems without valid credentials. They could also capture credentials as legitimate users logged in, giving them an expanding pool of access.

“This campaign showcases a new level of sophistication where attackers do not just steal credentials, but own the trust layer of the operating system itself.”

— Anonymous Security Researcher commenting on Sygnia's findings

This approach explains the decade-long persistence. Traditional security tools look for malware, suspicious network traffic, or unauthorized access attempts. When the attackers control the authentication system, every login looks legitimate. The intrusion becomes invisible to standard monitoring.

Velvet Ant's Track Record

This is not the first time Velvet Ant has made headlines. In 2024, Sygnia documented a separate campaign targeting F5 BIG-IP devices that ran undetected for three years. That same year, Cisco warned of a zero-day vulnerability in NX-OS running on Nexus switches that Velvet Ant exploited to compromise targets.

The group consistently targets network infrastructure: load balancers, switches, authentication systems. These components handle traffic for entire organizations but often receive less security scrutiny than endpoints or servers.

Detection Challenges

Security practitioners on HackerNews and Reddit's r/netsec have been dissecting the technical details. The consensus: this type of attack is extremely difficult to catch.

Velvet Ant used what researchers call 'living off the land' techniques. They modified existing system binaries rather than dropping new malware. They used legitimate tools like SSH and Nginx. They masqueraded their processes as normal system daemons.

Traditional endpoint detection and antivirus solutions look for known malware signatures or obviously suspicious behavior. When attackers modify core system files, they become part of the operating system. The compromised binaries pass integrity checks because the attackers control what 'integrity' means.

Community members pointed to file integrity monitoring as one potential defense. Systems like AIDE or Tripwire can detect changes to critical binaries. But these tools require a known-good baseline and generate alerts that need investigation. Many organizations struggle to maintain that discipline over years.

Implications for Critical Infrastructure

Air-gapped networks exist because organizations need to protect their most critical systems. Power grids, water treatment plants, financial systems, manufacturing controls. The assumption is that physical separation provides security that software cannot.

Operation Highland demonstrates that air gaps are not absolute. Attackers with enough patience and skill can bridge them. The question becomes whether organizations are monitoring for the bridging attempts.

Sygnia's research suggests many are not. A decade is long enough for entire IT teams to turn over. Configuration changes pile up. Institutional knowledge of what 'normal' looks like fades. The attackers count on this entropy.

What Organizations Should Check

Based on Sygnia's findings, security teams should examine several areas.

• Verify integrity of PAM modules and SSH binaries against known-good hashes
• Audit Nginx and other proxy configurations for unexpected forwarding rules
• Review systemd services and startup scripts for unfamiliar entries
• Check for processes masquerading as legitimate daemons (smbd, httpd) running from unusual paths
• Monitor for internal SOCKS5 proxy traffic, especially on non-standard ports

None of these checks are exotic. All of them require sustained effort to maintain. That gap between knowing what to do and actually doing it consistently is where attackers like Velvet Ant operate.

Frequently Asked Questions

What is Velvet Ant?

Velvet Ant is a China-nexus cyberespionage threat group that targets network infrastructure including load balancers, switches, and authentication systems. Sygnia has documented multiple campaigns attributed to this group.

How did hackers breach an air-gapped network?

Velvet Ant compromised internet-facing servers first, then chained Nginx proxy configurations and FastCGI wrappers to route HTTP requests into the isolated network. They used SSH connections triggered by POST request parameters to reach air-gapped systems.

Why wasn't the intrusion detected for 10 years?

The attackers modified core authentication binaries (PAM and SSH), making their access appear legitimate. They used living-off-the-land techniques, avoiding traditional malware that security tools would flag.

What is Operation Highland?

Operation Highland is the name Sygnia researchers gave to Velvet Ant's decade-long espionage campaign against a large organization's critical infrastructure network, running from 2016 to 2026.

How can organizations detect similar attacks?

File integrity monitoring for critical binaries, auditing proxy configurations, reviewing startup services, and monitoring for internal SOCKS5 traffic can help detect these techniques.

Source: BleepingComputer