Sygnia uncovered “Operation Highland,” a 10-year espionage campaign by the Velvet Ant threat group that infiltrated an organization’s authentication stack and isolated critical infrastructure network. The attackers used modified access tools, backdoored PAM modules, and trojanized OpenSSH components to maintain persistence, steal credentials, and observe all administrative activity. #VelvetAnt #OperationHighland #Sygnia #PAM #OpenSSH
Keypoints
- Velvet Ant carried out a 10-year cyber-espionage operation against a large organization.
- The intrusion began on internet-facing systems and later reached an isolated network.
- Attackers used a modified GS-Netcat shell and a custom SOCKS5 proxy for persistence and tunneling.
- They built a remote execution path into the segregated environment through chained Nginx and FastCGI changes.
- Velvet Ant replaced PAM and OpenSSH components to steal credentials and monitor all administrative activity.