A sophisticated cyberespionage campaign, dubbed ‘Operation Highland,’ has been uncovered by researchers at Sygnia. The operation involved hijacking an organization’s authentication flow and maintaining access to a critical infrastructure network for over a decade.
The campaign began in 2016, targeting vulnerable internet-facing systems before pivoting to an ‘air-gapped’ environment with no direct internet connection. The attackers compromised F5 BIG-IP devices, exploiting a zero-day vulnerability in NX-OS running on Nexus switches. This allowed them to gain access to targets and establish persistence.
The attack began with the compromise of internet-facing servers, where Velvet Ant deployed a modified GS-Netcat reverse shell disguised as a legitimate system component. The attackers connected to a hardcoded relay domain, providing encrypted remote shell access. To achieve persistence, they installed a custom SOCKS5 proxy for network traffic tunneling, enabling them to reach internal systems.
The most interesting aspect of the attack was building a remote execution path into the isolated network. Velvet Ant modified the configuration of a compromised internet-facing Nginx server to proxy specially crafted requests to a compromised backend server. This allowed them to establish SSH connections to systems within the isolated critical infrastructure network using parameters supplied in HTTP POST requests.
Having established their access, the attackers shifted focus to long-term persistence and credential theft by targeting Linux Pluggable Authentication Modules (PAM). They replaced legitimate ‘pam_unix.so’ modules with backdoored versions that accept hardcoded passwords and harvest user credentials. Sygnia identified nine distinct variants of the malicious PAM module, indicating a well-resourced threat actor.
The attackers also replaced OpenSSH components such as ssh, sshd, and scp with trojanized versions that captured credentials, logged commands entered during SSH sessions, and stored the collected data locally for future retrieval. By extending control to the authentication process, Velvet Ant had access to credentials as they were used in the target environment and could bypass the authentication flow.
Administrative activity became fully observable: every login; every command executed across compromised hosts. Access was no longer tied to a specific foothold but embedded into the authentication process itself. The hackers ensured their persistence despite password changes and session terminations, reducing the effectiveness of conventional containment measures.
Sygnia notes that even after discovering the compromise, remediating it and removing Velvet Ant from the compromised environment was particularly complicated. The threat actors had replaced so many critical components with custom versions that removing them was likely to break authentication, lock legitimate administrators out, and cause operational outages.
To tackle this problem, the researchers built a testing lab to validate the binary replacement process, profiled each host, tested the results, and prepared rollback procedures before attempting the cleanup. Sygnia recommends that defenders treat authentication components as critical security assets and protect them with EDR, file integrity monitoring, hardened privileged access, multi-factor authentication (MFA), and continuous monitoring for unauthorized modifications.
Organizations should plan for offline recovery, including strict backups with an adequate schedule for automatically creating snapshots with immutable copies. The restoration process should consider testing the backups and recovery hosts running operating systems that have been validated, along with the recovery scripts.
Source: Original article