Velvet Ant Didn't Cross The Air Gap. They Owned The Thing That Validates Every Crossing. Nine Years Inside A Critical Infrastructure Network.

The forensic investigation Sygnia published this week is called Operation Highland. The threat actor is Velvet Ant, tracked by Mandiant as UNC3886, a China-nexus espionage group. The timeline runs from 2016 to 2026. Ten years. The target was critical infrastructure. The network was air-gapped.

They did not cross the air gap. They owned the mechanism that validates every legitimate crossing, and then they sat inside it for a decade while every authorized administrator walked through the door they controlled.

The technical core of Operation Highland is the authentication stack. Velvet Ant replaced pam_unix.so — the PAM module responsible for password authentication on most Linux systems — with backdoored variants across multiple hosts in the target environment. Sygnia found nine distinct backdoored versions, each compiled in a separate build environment. Nine separate builds means nine separate development efforts, which means this was not a one-time deployment. It was a maintained capability, updated and iterated over the period of the operation. The backdoored PAM module did two things. It accepted a hardcoded secret password that bypassed authentication entirely, allowing the operators to log in as any user on any compromised host without knowing the legitimate credential. And it silently logged every username and password entered by every legitimate user to a hidden file. Every administrator who logged in after the implant was deployed handed Velvet Ant their credentials. The harvest was automatic. The administrators had no indication it was happening.

The OpenSSH binaries received the same treatment. Trojanized SSH binaries were deployed alongside the backdoored PAM modules. The modified binaries supported operator-friendly capabilities that reveal the operational sophistication of the group. A custom -d flag disabled credential and session logging during operator use, so the attacker's own login sessions left no trace in the logs that would otherwise capture authentication events. An scp option masked the SSH process to masquerade as a legitimate kernel thread, making the process invisible to administrators scanning the process list for unexpected connections. The ability to disable SELinux when run as root completed the capability set — an operator with the backdoor password, logging disabled, process masquerading as a kernel thread, and SELinux off, has effective administrative control of the host with no forensic footprint in the standard locations defenders look.

Nine variants of the PAM module. Multiple trojanized SSH binaries. Separate build environments for each. This is a team with a development pipeline for persistence tooling, not a threat actor using commodity malware.

The air gap question is the one that makes this operation architecturally significant rather than just technically sophisticated. The organization that Sygnia investigated had moved sensitive systems to an isolated internal network with no direct internet connection — the standard response to nation-state threat levels. The assumption behind air-gapping is that an attacker who penetrates the internet-facing perimeter cannot reach the air-gapped environment without a physical or deliberately engineered crossing. Velvet Ant's answer to that assumption is the insight at the center of Operation Highland. They did not need to cross the air gap repeatedly. They needed to own the authentication system that administrators use when they cross it legitimately. Every time an authorized administrator authenticated to a system in the air-gapped environment — every time they typed their password — Velvet Ant's PAM module captured that credential and Velvet Ant's SSH backdoor was available for use with the hardcoded password. The air gap was intact. The authentication layer that governs access across it was theirs.

This is the threat model that the air-gap mental model does not account for. Air-gapping is a network-layer control. It prevents direct network connectivity between segments. It does not prevent a compromised authentication system from harvesting credentials from every legitimate session that crosses the boundary. It does not prevent a backdoored SSH binary from accepting connections from operators who have the secret password. The control and the attack surface operate at different layers. The air gap is a network primitive. PAM is an authentication primitive. Owning PAM beats the air gap the way a skeleton key beats a locked door — the door is intact, the lock is intact, the key just opens it.

A decade of undetected presence in a critical infrastructure network with a backdoored authentication stack means ten years of visibility into every administrative action on every compromised host. Every command typed in an SSH session that the trojanized binary was logging. Every password entered by every administrator that the PAM module was capturing. Every internal system that administrators authenticated to during that window, because the credential harvest extended to every system those administrators subsequently accessed with the same credentials. The blast radius of a PAM backdoor is not the host where it is installed. It is every system that trusts the credentials authenticated by that host.

The discovery came from forensic investigation, which means detection did not come from existing monitoring. This matters because the evasion techniques Velvet Ant used — process masquerading as kernel thread, session logging disabled during operator access, SELinux disabled for root sessions — are specifically designed to defeat the monitoring approaches that most organizations rely on. Process-based detection does not catch a malicious SSH binary masquerading as a kernel thread. Log-based detection does not catch sessions that suppress their own log entries. The indicators that Velvet Ant left behind were in the binaries themselves — in the modified pam_unix.so files and the trojanized SSH binaries — and finding those requires active integrity checking of authentication stack components, not passive log review.

The defender actions here are different from the patching actions that follow most CVE disclosures. There is no CVE for a backdoored PAM module placed by an attacker with initial access. The defensive posture this operation implies is file integrity monitoring on authentication stack components specifically — pam_unix.so, SSH binaries, PAM configuration files — with cryptographic verification against known-good builds rather than behavioral detection of their use. It implies credential rotation as a periodic hygiene practice rather than a breach response, because a PAM module that has been harvesting credentials for an unknown period renders every credential entered during that period potentially compromised. And it implies treating air-gapped environments not as perimeters that block access but as environments where the authentication systems require the same adversarial scrutiny as internet-facing systems, because the attackers are targeting the authentication layer rather than the network boundary.

We track this class of operation under the defender mental model that the security infrastructure is the target — the same frame we applied last week to FortiBleed, Splunk, and Cisco SD-WAN. Velvet Ant extends that frame from the enterprise product layer to the operating system authentication layer. The PAM stack is not a security product. It is the authentication primitive that every security product and every system access event on a Linux host depends on. Owning it does not require exploiting a named vulnerability. It requires initial access and the operational discipline to replace a binary without triggering detection. Velvet Ant had both, sustained them for nine years, and harvested everything that every administrator typed in a decade of administrative work on the target's most sensitive systems.

The five percent we will not claim is that Operation Highland is the only active intrusion of this type. The ninety-five percent we will claim is that an air-gapped critical infrastructure network with a backdoored authentication stack, running undetected for a decade, is not an outlier. It is the expected outcome when defenders treat the network boundary as the security model and attackers have learned to treat the authentication layer as the more reliable target.

Check your PAM modules. Verify your SSH binaries. Rotate credentials that may have transited a compromised host. Then ask when the last time was that anyone verified the cryptographic integrity of the authentication stack on your most sensitive systems, and whether the answer to that question is measured in days or in years.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register