Velvet Ant Shows Why Authentication Systems Need File Integrity Monitoring

A reported decade-long cyberespionage campaign against an isolated critical infrastructure network is a reminder that segmentation alone is not a complete defense. According to BleepingComputer reporting on Sygnia research, the China-linked Velvet Ant group compromised internet-facing systems, built a path into an environment with no direct internet access, then embedded itself into the organization’s authentication flow.

The campaign, named Operation Highland by Sygnia, matters because the attackers were not only maintaining a shell on a server. They reportedly modified core Linux authentication and remote access components, including Linux PAM modules and OpenSSH binaries, giving them visibility into administrator logins, credentials, and commands. Sygnia described the result bluntly: “Access was no longer tied to a specific foothold.”

The affected platforms and components are familiar enterprise building blocks: internet-facing Linux servers, Nginx reverse proxy configurations, FastCGI via fcgiwrap, SOCKS5 tunneling, PAM, OpenSSH, and historically exposed network infrastructure such as F5 BIG-IP and Cisco NX-OS devices associated with prior Velvet Ant activity. The specific initial vulnerability in this campaign was not named in the provided reporting, which means defenders should treat the lesson as architectural rather than product-specific.

The technical pattern is the important part. Velvet Ant allegedly began with externally reachable servers, deployed a modified GS-Netcat reverse shell, then used custom SOCKS5 proxying to move traffic toward internal systems. From there, altered Nginx configurations helped forward specially crafted HTTP requests to a backend process. That backend used FastCGI as an execution bridge, launching a custom binary that could establish SSH connections into the isolated network.

This is why the phrase “air-gapped” can be misleading in real environments. A network may lack a direct internet route, but if administrators, jump hosts, proxies, shared identity systems, update channels, or management workflows cross the boundary, attackers can abuse those paths. Segmentation reduces exposure. It does not automatically prevent command execution when trusted middleware is already compromised.

The most damaging phase came after access was established. Sygnia reported that Velvet Ant replaced legitimate pam_unix.so files with backdoored variants that accepted hardcoded passwords and harvested credentials. Researchers found nine distinct malicious PAM variants, which suggests repeat development and operational tuning rather than a one-off implant.

That choice is tactically smart and operationally dangerous. PAM is not a normal application dependency. It sits in the authentication path for services that rely on local Linux identity checks. If a malicious PAM module is loaded, a password change may only rotate the credential being collected. If administrators log in to repair the system, they may feed the attacker fresh credentials while creating more command telemetry for the adversary.

OpenSSH tampering extends the same idea into remote administration. By replacing ssh, sshd, and scp, the attackers could reportedly capture credentials, record commands, and store data locally for later retrieval. That kind of compromise changes the incident response model. The question is no longer only “which account was used?” It becomes “which authentication and administration tools can still be trusted?”

For defenders, the practical takeaway is to promote authentication components into the highest tier of monitored assets. PAM modules, sshd binaries, sudo configuration, SSH authorized_keys files, identity provider connectors, Windows LSASS protections, privileged access tooling, and jump host images should be covered by file integrity monitoring, endpoint detection, strict change control, and independent logging. If these components change outside an approved maintenance window, that should produce a high-priority investigation.

Security teams should also test recovery before they need it. Sygnia’s cleanup was difficult because replacing compromised authentication files risked locking out administrators or breaking production access. That is a common incident response trap. The more central a component is to login and administration, the more carefully it must be restored.

A good recovery plan includes known-good operating system images, offline or immutable backups, tested host rebuild procedures, staged binary replacement, emergency local access paths, and rollback plans. For Linux fleets, teams should maintain package verification procedures, compare cryptographic hashes against trusted repositories, and validate PAM and OpenSSH packages from clean media. For critical infrastructure, recovery hosts should be isolated, prebuilt, and periodically tested against realistic failure scenarios.

Detection should focus on behavior as well as hashes. Watch for Nginx configuration changes that introduce unusual proxy paths, FastCGI listeners on unexpected ports, daemon names that imitate legitimate processes, outbound encrypted tunnels from servers that should not initiate them, and SSH activity crossing segmentation boundaries in unusual patterns. Logging administrative command execution is useful, but only if logs are shipped off-host quickly enough that a local attacker cannot quietly alter or delete them.

MFA still matters, but this case shows its limits when the endpoint or authentication layer is already hostile. Hardware-backed phishing-resistant MFA can reduce credential reuse risk, but a malicious PAM or SSH component can still observe local activity and may enable bypass paths if it has been coded to accept a hardcoded secret. MFA should be paired with binary integrity checks, privileged session monitoring, and rebuild-first response playbooks for systems in the authentication path.

The broader lesson is that long-term espionage groups target trust relationships. They look for the systems administrators rely on, the proxies allowed through segmentation, and the authentication modules everyone assumes are clean. Once those layers are compromised, routine containment steps such as password resets, account disablement, and session termination may not be enough.

Organizations running critical infrastructure, manufacturing networks, telecom environments, research systems, or any segmented operational network should review this incident as a control failure scenario. Inventory every path that can carry management traffic into restricted environments. Confirm who owns each proxy rule. Monitor authentication binaries like production secrets. Practice rebuilding identity and access infrastructure from trusted sources. The attack described here lasted years because the adversary lived where defenders expected trust, and that is exactly where monitoring needs to get sharper.