For nearly a decade, a sophisticated China-nexus threat group known as Velvet Ant maintained a covert presence in the Linux login layer, conducting what has been dubbed "Operation Highland." This campaign highlights the escalating ingenuity of cyber adversaries targeting critical authentication components in order to persist undetected.
Velvet Ant, tracked by Sygnia, strategically targeted critical Linux authentication components, particularly Pluggable Authentication Modules (PAM) and OpenSSH. Rather than deploying new malware, they stealthily modified these components to grant unauthorized access or passively log legitimate user credentials.
A PAM backdoor refers to unauthorized modifications made to the PAM system, allowing adversaries to manipulate authentication processes. This category of backdoor can accept specific passwords, providing covert access while remaining hidden from standard monitoring.
Dubbed by researchers, Operation Highland encompasses Velvet Ant's prolonged campaign of silently infiltrating Linux systems through backdoored PAM and OpenSSH. This long-term stratagem involved an array of clandestine methodologies, from granting access via secret passwords to capturing legitimate credentials.
The attack exploited the authentication layer's critical role as a gatekeeper for system access. By compromising PAM and OpenSSH, Velvet Ant harnessed a blend of stealth and persistence, skirting around traditional detection mechanisms intended for malware or endpoint anomalies.
Velvet Ant crafted backdoors with two primary functionalities: Secret-Password Variant: Permits direct access using secret credentials known only to the intruders. Credential-Capture Variant: Logs real credentials as users authenticate, furnishing the attackers with a database of authentic login details.
These variations emerged across nine known versions, showcasing a long-term, evolving approach to undetected access and exfiltration capabilities.
Air-gapped networks like the targeted system in Operation Highland usually assume robust security due to isolation. However, Velvet Ant ingeniously commenced their infiltration via outward-facing systems, demonstrating that even isolated networks require vigilance at entry points.
In standard cyber defense, resetting passwords or closing active sessions are common responses to intrusion. Yet, these measures flounder when the authentication systems themselves have been compromised. Therefore, standard containment maneuvers prove inadequate. True remediation demands intricate integrity verification of the trusted components.
To thwart similar persistence threats, organizations must: Conduct regular integrity checks on authentication layers and other critical components. Engage in proactive threat hunting beyond reactive alerting responses. Reduce internet-facing systems to minimize potential adversary footholds, aligning with principles of External Attack Surface Management (EASM).
The recognition that attacks like Operation Highland start with external system compromises underscores the importance of continuously mapping internet-facing footprints. By diminishing these initial points of contact, EASM can limit early adversary access, offering a preemptive security posture enhancement.
For further reading and insights, explore Sygnia's research and SC Media's detailed coverage. For more ways to secure your external footprint, visit our EASM platform page.
Unlock full visibility of your external attack surface with DarkInvader’s continuous, real-time monitoring. Create your free account to discover unknown assets, detect emerging risks and stay ahead of potential threats before attackers can exploit them.
Create My Free Account
Platform 7D, New Station Street, Leeds,
LS1 4BT, United Kingdom
©2026 DarkInvader, All Rights Reserved
