The intrusion lasted a full decade, from 2016 to 2026, according to Sygnia. The ten‑year operation shows how a skilled threat actor can pull off an authentication hijack that spans an air‑gapped network.
Key Takeaways
- Velvet Ant compromised internet‑facing servers in 2016 and pivoted into a segregated critical‑infrastructure environment.
- Attackers replaced Linux PAM and OpenSSH binaries, giving them visibility into every login and command.
- Nine distinct malicious PAM modules indicate a well‑resourced, long‑term campaign.
- Cleanup required a custom lab and staged rollback to avoid locking out legitimate admins.
- Similar tactics were seen in 2024 attacks on F5 BIG‑IP and Cisco Nexus devices.
Authentication Hijack Reveals Depth of Velvet Ant’s Operation
When Sygnia researchers first noticed odd traffic patterns on a large organization’s perimeter, they weren’t expecting to uncover a ten‑year espionage run. By the time they traced the chain back to a modified GS‑Netcat reverse shell, the attackers had already baked themselves into the very heart of the authentication process.
From Internet‑Facing to Air‑Gapped
The campaign, dubbed “Operation Highland,” began with compromised internet‑facing servers. Sygnia didn’t disclose the exact product or vulnerability, but they did note that the attackers used a reverse shell disguised as a legitimate component to reach a hard‑coded relay domain. Persistence came via a malicious systemd service or a startup script tweak, giving the actors a foothold that survived reboots.
From there, Velvet Ant deployed a custom SOCKS5 proxy that masqueraded as ‘smbd -D.’ Each daemon ran under a different filename and port, turning the compromised servers into pivot points. That proxy let the group tunnel traffic into internal segments that weren’t directly reachable from the internet.
Building the Remote Execution Bridge
What’s most surprising is how the attackers forged a remote‑execution path into the isolated network without ever touching it directly. They altered an internet‑facing Nginx configuration to proxy specially crafted requests to a compromised backend server. That backend Nginx then forwarded the request to a FastCGI wrapper (fcgiwrap) listening on a separate port.
The FastCGI wrapper acted as an execution bridge, launching a custom binary named ‘uptime.’ That binary opened SSH connections to hosts inside the critical‑infrastructure zone, using parameters supplied in HTTP POST requests. As Sygnia put it:
“By chaining these modifications, Velvet Ant established a remote‑execution path into the segregated environment via simple HTTP requests, with no direct connection to the critical infrastructure network ever required.”
That clever chain meant the attackers could issue commands inside the air‑gapped environment while staying invisible to traditional network monitoring.
Hijacking the Authentication Stack
Once inside, the threat actors focused on the authentication stack itself. They swapped out the legitimate pam_unix.so module with backdoored versions that accepted hard‑coded passwords and harvested credentials. Sygnia identified nine distinct variants of the malicious PAM module, each compiled in a separate environment, which signals a well‑funded operation.
Two of those modules acted solely as backdoors, while the others also collected credentials. The attackers didn’t stop at PAM; they replaced OpenSSH components—including ssh, sshd, and scp—with trojanized binaries that logged usernames, passwords, and every command entered during SSH sessions. The malicious binaries stored the data locally for later exfiltration.
“Administrative activity became fully observable: every login; every command executed across compromised hosts. Access was no longer tied to a specific foothold but embedded into the authentication process itself,” the researchers explained.
By hijacking PAM and OpenSSH, Velvet Ant ensured that credential changes or session terminations wouldn’t cut them off. They could watch every privileged action, making the intrusion effectively invisible to standard containment measures.
Precedents and Parallel Exploits
Velvet Ant isn’t a newcomer to high‑impact exploits. In 2024, Sygnia warned about a campaign that targeted F5 BIG‑IP devices, remaining undetected for three years. The same year, Cisco disclosed a zero‑day in NX‑OS on Nexus switches that Velvet Ant used to gain access to other targets. Those incidents show a pattern: the group favors long‑term stealth over quick ransomware payouts.
Complex Cleanup
When Sygnia finally discovered the compromise, the cleanup was a nightmare. The attackers had replaced so many core binaries that a naive removal would have broken authentication, locked out legitimate admins, and potentially crippled the organization’s operations. To mitigate that risk, the researchers built a lab that mimicked the production environment, profiled each host, and validated the binary‑replacement process before attempting a live rollback.
Even with that preparation, the remediation effort required staged rollbacks, careful monitoring of credential stores, and coordinated communication with the organization’s incident‑response team. The lesson here is that a deep‑level hijack of authentication components can turn a standard patching exercise into a full‑scale disaster recovery scenario.
Historical Context: The Evolution of Authentication Hijacks
Long‑standing attacks on authentication mechanisms predate Velvet Ant’s decade‑long run. Early examples focused on credential dumping from memory, but they rarely altered the authentication stack itself. Over time, threat actors realized that compromising PAM or SSH binaries gives a persistent, low‑visibility channel that survives reboots and OS upgrades.
The 2024 F5 BIG‑IP incident illustrated that trend. Attackers inserted malicious modules into the device’s management plane, then used those modules to maintain a foothold while the vendor rolled out firmware updates. Cisco’s NX‑OS breach followed a similar playbook, swapping out privileged‑access binaries for trojanized versions that collected admin activity.
Those campaigns share three hallmarks with Velvet Ant: a focus on core authentication components, an emphasis on stealth, and a willingness to linger for years. The pattern suggests a strategic shift in the cyber‑espionage playbook, moving from quick‑hit ransomware to patient, data‑focused exploitation.
Technical Architecture Deep Dive
The attack chain can be broken into four logical layers: perimeter compromise, proxy tunneling, execution bridging, and authentication hijack. Each layer relied on open‑source tools that the defenders assumed were benign.
Layer 1 – Perimeter Compromise
Initial footholds landed on internet‑exposed servers. The actors delivered a reverse shell that masqueraded as a legitimate binary, then registered a systemd unit to ensure the shell survived restarts. By embedding the payload in a startup script, they sidestepped detection tools that only scan for newly added services.
Layer 2 – Proxy Tunneling
A custom SOCKS5 daemon, renamed to look like a standard SMB service, listened on non‑standard ports. The daemon accepted connections from the compromised perimeter host and forwarded traffic into the internal network. Because the traffic appeared as regular SMB traffic, network sensors flagged it as benign.
Layer 3 – Execution Bridging
Modified Nginx configurations rerouted HTTP requests to a FastCGI wrapper. The wrapper, originally intended to serve simple CGI scripts, was repurposed to spawn a binary called ‘uptime.’ That binary established outbound SSH sessions to internal hosts, using parameters supplied in the HTTP payload. The entire bridge operated over standard web ports, blending with legitimate traffic.
Layer 4 – Authentication Hijack
Once an SSH session was active, the attackers swapped out the PAM module and OpenSSH binaries. The malicious pam_unix.so variants accepted hard‑coded credentials, allowing the actors to log in without triggering password‑policy alerts. Trojanized ssh and sshd binaries recorded every credential and command, storing the logs locally for later exfiltration. Because the hijack occurred at the authentication layer, any new admin account or password rotation automatically fell under the attackers’ watch.
What This Means For You
If you’re responsible for securing critical infrastructure, the takeaway is stark: protecting the perimeter isn’t enough. Attackers can infiltrate through a single exposed server, then hijack the authentication stack to gain omniscient visibility across an isolated network. That means you need to audit every PAM and OpenSSH binary, enforce strict code‑signing, and monitor for anomalous reverse‑shell traffic—even on systems that appear air‑gapped.
For developers building services that run on Linux, consider integrating integrity‑checking tools that verify the hash of critical libraries at runtime. And for any organization that relies on Nginx as a reverse proxy, tighten your FastCGI configurations and limit the ability to spawn arbitrary binaries via HTTP requests. Ignoring those steps could let a sophisticated actor embed themselves at the very core of your authentication flow.
Scenario 1 – Misconfigured FastCGI Allows Arbitrary Execution
A sysadmin enables FastCGI to serve a legacy CGI script and forgets to restrict the executable path. An attacker sends a crafted HTTP POST that triggers the FastCGI wrapper to launch a binary of their choosing. The binary then opens an SSH session to an internal host, bypassing the air‑gap entirely. Regular web‑traffic logs show nothing unusual because the request looks like a normal POST.
Scenario 2 – Undetected Replacement of PAM Modules
During a routine OS upgrade, a package manager inadvertently overwrites a custom‑compiled PAM module with a backdoored version that was previously placed on the system. The new module accepts a hard‑coded password, granting the attacker unrestricted access. Because the module’s signature matches the expected package, conventional integrity checks miss the substitution.
Scenario 3 – Cleanup That Breaks Authentication
An incident‑response team decides to revert all binaries to their original versions without first validating dependencies. The rollback removes the trojanized ssh binary but leaves a lingering custom systemd service that still points to the old binary path. When the service restarts, authentication fails, and legitimate admins are locked out. A staged rollback, as demonstrated by Sygnia, avoids that cascade.
Going forward, can defenders keep pace with threat actors who treat authentication components as a foothold for a decade‑long espionage campaign? Only, but the stakes have never been higher.
Key Questions Remaining
- How many other organizations have similar, undetected authentication hijacks lurking in their infrastructure?
- What automated mechanisms can reliably detect binary substitution without generating false positives?
- Will future supply‑chain protections address the risk of malicious PAM and SSH binaries being introduced during legitimate updates?
- How can incident‑response teams design rollback procedures that preserve authentication continuity while removing entrenched threats?
Sources: BleepingComputer, original report
