Chinese Hackers Hid in Linux Login System for a Decade in 'Operation Highland'

Chinese state-sponsored hackers known as Velvet Ant maintained undetected access to a critical infrastructure organization's isolated network for nearly a decade by backdooring the Linux authentication system itself. The campaign, dubbed Operation Highland by incident response firm Sygnia, began in 2016 and was only discovered in 2026.

Sygnia researchers found that the attackers replaced legitimate Linux Pluggable Authentication Modules (PAM) with nine distinct malicious variants, each compiled in a separate build environment. The backdoored modules accepted hardcoded passwords and harvested user credentials, giving the group full visibility into every administrative login and command executed across compromised hosts.

Attack Chain: From Internet-Facing Servers to Air-Gapped Networks

The intrusion began with the compromise of internet-facing servers, though Sygnia did not disclose the specific product or vulnerability used. Velvet Ant deployed a modified GS-Netcat reverse shell disguised as a legitimate system component, achieving persistence through malicious systemd services or startup script modifications.

Key technical steps in the attack chain included:

• Installation of a custom SOCKS5 proxy masquerading as 'smbd -D' to tunnel traffic to internal systems not directly accessible from the internet.
• Modification of an internet-facing Nginx server to proxy specially crafted requests to a compromised backend server, which then forwarded them to a FastCGI process acting as an execution bridge.
• Deployment of a custom binary named 'uptime' that established SSH connections into the air-gapped critical infrastructure network using parameters supplied in HTTP POST requests.
• Replacement of OpenSSH components (ssh, sshd, scp) with trojanized versions that captured credentials and logged commands during SSH sessions.

Implications for Critical Infrastructure Security

The Velvet Ant group was previously documented in 2024 targeting F5 BIG-IP devices for three years, and Cisco warned that year of a zero-day in NX-OS exploited by the same group. Operation Highland demonstrates that attackers can embed themselves in authentication infrastructure, where standard endpoint detection tools rarely look.

Sygnia noted that by controlling PAM and OpenSSH, the threat actor made administrative activity fully observable: every login and every command across compromised hosts was captured. Access was no longer tied to a specific foothold but embedded into the authentication process itself. Organizations with air-gapped networks should audit their PAM and OpenSSH configurations for unauthorized modifications and monitor for unusual authentication behavior.