The operation, tracked as Velvet Ant and labelled Operation Highland by investigators, exposed a high-risk tactic in cyber espionage: rather than relying only on conventional malware, the intruders replaced trusted OpenSSH binaries and Pluggable Authentication Modules with altered versions that could steal credentials, log commands and allow unauthorised entry.
The earliest forensic traces date to 2016, indicating an intrusion that persisted across years of system operation, security reviews and containment efforts. The targeted environment had no direct internet connectivity, a design meant to limit exposure, but the attackers built a staged path through internet-facing systems and then moved through connected corporate infrastructure to reach the restricted segment.
The case underscores a growing weakness in critical infrastructure defence. Many operators focus heavily on perimeter controls, endpoint alerts and patching, while authentication components, network appliances and legacy systems may receive less scrutiny. Velvet Ant appears to have exploited that gap by embedding access into the login process itself, making normal administrative activity difficult to distinguish from hostile surveillance.
Investigators found that the attackers first compromised public-facing servers and deployed a modified version of GS-Netcat, an encrypted reverse-shell tool. The binary was disguised as a legitimate system utility and configured to survive reboots through system startup mechanisms. A separate SOCKS5 proxy written in Perl helped route traffic through compromised hosts and support lateral movement.
The intrusion then used web infrastructure as a bridge. Nginx configurations were altered, and FastCGI wrappers were chained to execute commands on back-end systems. One custom tool, named to resemble a routine uptime utility, established SSH connections into the restricted network after receiving parameters through HTTP requests. This allowed the attackers to reach hosts that were not directly exposed online.
The most damaging stage involved control of the authentication layer. PAM sits beneath many Linux login flows, including SSH sessions, and OpenSSH provides the remote access channel used by administrators across server estates. By altering both, Velvet Ant gained visibility into logins and commands while preserving an appearance of normal operations.
Nine variants of a backdoored pam_unix. so module were identified. Some accepted a hardcoded backdoor password, bypassing normal checks. Others captured legitimate usernames and passwords as users logged in. Several versions appeared to have been compiled in different environments, suggesting a structured build process rather than an improvised intrusion.
The OpenSSH modifications were equally intrusive. Altered ssh, sshd and scp binaries captured credentials, recorded shell commands and stored logs in hidden directories. Some versions included a custom flag allowing the operator to disable its own logging, reducing the risk that investigators would later reconstruct attacker actions from the compromised tools. In some cases, timestamps were manipulated to make malicious files resemble older system artefacts.
The operation also showed why password resets and session termination may fail when attackers control the component that validates credentials. Resetting passwords before removing the malicious PAM and OpenSSH binaries could simply feed new secrets back to the intruder. That placed defenders in a difficult position: removing the backdoor was necessary, but replacing authentication components incorrectly could lock administrators out of live systems.
The remediation effort required careful host-by-host profiling because the environment contained multiple Linux distributions and versions. Systems without internet access could not pull clean packages directly from trusted repositories, while critical production requirements limited downtime. Replacement components had to be tested, moved into the restricted network through controlled channels and validated immediately after deployment.
Velvet Ant has been associated with earlier campaigns targeting infrastructure that sits outside routine monitoring. A 2024 case involved legacy F5 BIG-IP appliances used for persistence, while another involved exploitation of a Cisco NX-OS command-injection flaw affecting Nexus switches after attackers obtained administrator-level access. The pattern points to a preference for trusted network and system components that defenders may treat as stable background infrastructure.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
