GoKawiilChinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity.
Dubbed "Operation Highland," the intrusion is attributed to the Velvet Ant cyberespionage threat group, which targeted vulnerable internet-facing systems before pivoting to a network with no direct external path.
Chinese hackers of the “Velvet Ant” activity cluster breached the isolated critical infrastructure network of a large organization and conducted cyber-espionage operations for 10 years.
The campaign, dubbed “Operation Highland” by Sygnia researchers who discovered it, began in 2016, targeting vulnerable internet-facing systems before pivoting to an “air-gapped” environment with no direct internet connection.
Velvet Ant’s lengthy espionage operations were documented in 2024, when Sygnia warned of a campaign targeting F5 BIG-IP devices that operated undetected for three years.
Also in 2024, Cisco warned of a zero-day in NX-OS running on Nexus switches, which was exploited by Velvet Ant to gain access to targets.
Velvet Ant attack chain
The attack begins with the compromise of internet-facing servers, though the researchers don’t mention the specific product or any vulnerability used.
Velvet Ant deployed a modified GS-Netcat reverse shell disguised as a legitimate system component that connected to a hardcoded relay domain, providing encrypted remote shell access.
The shell achieved persistence either via a malicious systemd service or through startup script modification.
... continue reading