Operation Highland: Velvet Ant APT Spied on Air-Gapped Network for 10 Years

The Chinese state-linked espionage group "Velvet Ant" maintained undetected access to a large organization's critical infrastructure for an extraordinary 10 years, according to researchers at Sygnia who disclosed the campaign as "Operation Highland." Beginning in 2016, the attackers initially compromised vulnerable internet-facing systems before methodically pivoting into an air-gapped environment with no direct internet connection. Velvet Ant, previously documented in 2024 for exploiting F5 BIG-IP appliances and a Cisco NX-OS zero-day on Nexus switches, achieved full visibility into the target's administrative activity by seizing control of the organization's authentication stack.

The attack chain began with the compromise of internet-facing servers, after which the threat actors deployed a modified GS-Netcat reverse shell disguised as a legitimate system component. This shell connected to a hardcoded relay domain for encrypted remote shell access and achieved persistence through either a malicious systemd service or modified startup scripts. Velvet Ant then installed a custom SOCKS5 proxy masquerading as 'smbd -D' to tunnel network traffic, turning compromised servers into internal pivot points that enabled lateral movement into systems not directly reachable from the public internet.

The most technically sophisticated stage involved building a remote execution path into the isolated network. Velvet Ant modified a compromised internet-facing Nginx server's configuration to proxy specially crafted requests to a backend server, which in turn forwarded those requests to a FastCGI process (fcgiwrap) listening on a separate port. The FastCGI wrapper processed the requests and launched a custom binary named 'uptime' that established SSH connections to systems within the segregated critical infrastructure network using parameters supplied via HTTP POST requests. By chaining these modifications, the attackers established remote execution into the segregated environment through simple HTTP requests — with no direct connection to the critical systems themselves.

This decade-long intrusion underscores the importance of continuous monitoring of authentication infrastructure and supply chain components. Defenders should regularly audit exposed assets using a port scanner to identify internet-facing services, verify certificate configurations with a SSL/TLS checker, and run a WHOIS lookup on suspicious relay domains to support threat intelligence investigations into long-dwell APT activity.