The discovery that a single threat actor maintained a secret foothold within a high-security environment for over a decade fundamentally challenges the traditional assumptions of modern digital sovereignty. Operation Highland represents a rare case where an advanced persistent threat, known as Velvet Ant, managed to circumvent air-gapped defenses through a combination of extreme patience and technical ingenuity. This analysis aims to dissect the mechanisms of this ten-year intrusion, offering a comprehensive look at how attackers bypassed physical isolation and maintained a presence without triggering alarms. By understanding these methodologies, cybersecurity professionals can better prepare for a environment where perimeter defenses are no longer sufficient to guarantee safety.
The objective of this exploration is to answer the most pressing questions surrounding the Velvet Ant group and their specialized toolkit. Readers can expect to learn about the specific zero-day vulnerabilities exploited, the creative use of legacy protocols to bridge network gaps, and the insidious way the group hijacked internal authentication modules to hide in plain sight. As organizations move toward 2026 and beyond, the lessons learned from this breach provide a blueprint for defending against similar high-level espionage campaigns that prioritize long-term intelligence gathering over immediate disruption.
Introduction
Operation Highland stands as a significant milestone in cyber-espionage history due to the sheer longevity and sophistication of the intrusion. While many campaigns are measured in months, this operation successfully persisted for ten years by targeting the very infrastructure designed to protect a network. The threat actor, Velvet Ant, demonstrated an exceptional ability to adapt their tactics as defensive technologies evolved, shifting from basic exploits to the subversion of core operating system components.
This breach was not a simple case of a single infected machine but rather a systematic compromise of critical infrastructure that was supposedly isolated from the public internet. The significance of this case lies in the realization that physical isolation is not an absolute barrier against a determined adversary. The scope of this content covers the lifecycle of the attack, the technical bridges built by the adversary, and the complex remediation efforts required to reclaim the network without causing a total operational collapse.
Key Questions: Understanding the Mechanics of the Breach
What Defined Operation Highland and Why Did It Persist for Such an Extended Period?
The persistence of the operation was primarily due to the group’s focus on stealth and the exploitation of edge devices that often lack traditional endpoint monitoring. By identifying and utilizing zero-day vulnerabilities in enterprise hardware, such as F5 BIG-IP devices and Cisco Nexus switches, the attackers established a foothold that remained invisible to standard security software. This strategy allowed them to operate at the network layer, where they could observe and manipulate traffic before it even reached the internal logging systems.
Moreover, the group utilized a modified version of GS-Netcat to create a reverse shell that was cleverly disguised as a legitimate system process. By integrating this shell into the systemd service architecture, the attackers ensured that their access would survive reboots and updates. This level of integration meant that even if a specific vulnerability was patched, the backdoor remained active, providing a reliable gateway for the actors to return whenever necessary over the course of the decade.
How Did the Threat Actors Manage to Penetrate Networks That Were Physically Isolated?
Bridging the gap to an air-gapped network required a highly creative proxy chain that turned standard web servers into execution bridges. The attackers modified internet-facing Nginx servers to recognize specifically crafted HTTP POST requests, which were then forwarded through a series of internal proxies. These requests eventually reached a backend server where a FastCGI wrapper was used to execute a custom binary. This binary did not perform standard web tasks; instead, it acted as a tunnel to establish SSH connections into the isolated critical infrastructure segment.
This multi-stage proxying meant that commands could be sent to the isolated network under the guise of normal web traffic. By using non-standard ports and legitimate-looking binaries like a fake uptime tool, the attackers bypassed the physical and logical barriers that usually prevent external access. This ingenious use of proxying highlighted a major vulnerability in how organizations manage traffic between different security zones, proving that even segregated networks are vulnerable to sophisticated tunneling techniques.
What Specific Techniques Were Used to Subvert System Authentication Modules?
One of the most damaging aspects of the breach involved the hijacking of the Linux Pluggable Authentication Modules, commonly known as PAM. Velvet Ant deployed several versions of a malicious module that allowed them to enter the system using a hardcoded master password while simultaneously logging the credentials of legitimate administrators. By embedding themselves directly into the authentication flow, the attackers rendered password rotations and basic identity management protocols useless, as they captured every new credential in real-time.
In addition to PAM modules, the threat actor replaced standard OpenSSH binaries with trojanized versions that recorded every command executed by the staff. This allowed them to understand the internal workflows of the organization and maintain total visibility over administrative actions. Because these changes occurred at the library and binary level, they were extremely difficult to detect without specialized file integrity monitoring tools, giving the attackers a permanent and nearly invisible seat at the administrative table.
What Made the Cleanup of This Specific Intrusion so Complex for Security Teams?
The remediation process was fraught with risk because the attackers had replaced essential system components that were required for the operating system to function correctly. Simply deleting the malicious modules or binaries would have broken the authentication chain, potentially locking every legitimate user out of the network and causing a massive shutdown of critical services. This created a scenario where the cure could have been just as damaging to the organization as the original infection itself.
To overcome this hurdle, responders had to build a complete replica of the compromised environment in a testing lab to validate every cleanup step before applying it to the live systems. This involved profiling every host to match specific binary versions and ensuring that the replacement of trojanized files would not trigger a system failure. The meticulous nature of this operation underscored the reality that once an attacker has compromised the core authentication stack, the path to recovery is a slow and delicate process that requires extreme precision.
Summary: A Decade of Stealth and Subversion
The Velvet Ant campaign illustrates that the most dangerous threats are those that prioritize long-term invisibility over immediate impact. By focusing on authentication modules and edge infrastructure, the group maintained a presence that spanned ten years, successfully bridging the gap into isolated networks. This operation proves that traditional perimeter defenses are often insufficient when faced with an adversary capable of rewriting the rules of system authentication. The technical proficiency required to maintain such an intrusion suggests a level of resources and patience typically associated with state-sponsored activities.
Key takeaways from this investigation highlight the importance of protecting the authentication stack with the same rigor as the root account. Monitoring for unauthorized changes to core libraries like PAM and OpenSSH is essential for detecting advanced persistent threats. Furthermore, the use of creative proxy chains to reach air-gapped systems serves as a warning that network segmentation must be paired with deep packet inspection and behavioral analysis. Organizations must now assume that their internal environments are targetable, regardless of their physical isolation status.
Conclusion: Final Thoughts on Future Defensive Strategies
The investigation into Operation Highland concluded that the traditional reliance on air-gapping as a final security measure was no longer a foolproof strategy against modern adversaries. Security teams realized that the focus must shift toward verifying the integrity of the operating system itself, rather than just scanning for known malware signatures. The breach demonstrated that once an actor integrated their code into the authentication modules, they effectively owned the identity of the entire organization. This shift in perspective prompted a move toward more robust file integrity monitoring and the implementation of multi-factor authentication that is resistant to module-level hijacking.
Reflecting on the decade of unseen access, it became clear that the attackers utilized the very tools meant for system administration to facilitate their movement. This behavior emphasized the need for zero-trust architectures where no process, even one appearing as a system daemon, is implicitly trusted. As organizations moved forward from this incident, they adopted stricter controls over their internal binaries and a more skeptical approach to network traffic between zones. The legacy of Velvet Ant remains a powerful reminder that vigilance must be continuous, and the most effective defenses are those that look inward as often as they look toward the horizon.
