A sophisticated China-linked threat actor, identified as Velvet Ant, has been conducting a prolonged cyber intrusion within a major organization’s internal network, remaining undetected for nearly a decade. This operation, termed Operation Highland, showcases an unprecedented level of patience and technical prowess, particularly given the target network’s lack of direct internet connectivity.
Velvet Ant’s infiltration strategy was notably intricate. Rather than employing conventional methods like phishing or brute-force attacks, the group meticulously engineered a multi-stage access chain. This approach allowed them to transition from internet-facing systems through the IT network, ultimately reaching the most sensitive segments of the infrastructure. By modifying publicly available tools to mimic normal activity, they effectively evaded detection by standard security measures.
Exploitation of PAM Modules
Upon gaining access to the segregated environment, Velvet Ant targeted the Pluggable Authentication Module (PAM) system—a critical component in Linux that manages user authentication across services. The attackers replaced legitimate PAM modules with malicious versions, specifically altering the pam_unix.so file. This modification enabled them to bypass standard authentication processes using a hardcoded backdoor password and to harvest credentials from legitimate authentication attempts.
The tampered pam_sm_authenticate function was designed to accept the backdoor password, thereby circumventing normal verification procedures. To further obscure their activities, the malicious library would overwrite the backdoor password string in memory with NULL values post-authentication, complicating forensic analysis. Additionally, a custom flag was embedded to disable the attacker’s own credential and session logs, effectively erasing traces of their presence.
Implications and Recommendations
The discovery of Operation Highland underscores the evolving tactics of nation-state actors in compromising critical infrastructure. By embedding themselves within the authentication layer, Velvet Ant achieved a level of persistence and stealth that is particularly concerning. Organizations are urged to conduct thorough audits of their authentication systems, especially PAM modules, to detect unauthorized modifications. Implementing robust monitoring and anomaly detection mechanisms is essential to identify and mitigate such sophisticated threats.
This incident highlights the necessity for continuous vigilance and adaptation in cybersecurity practices. As threat actors develop more advanced methods to infiltrate and persist within networks, organizations must proactively enhance their defensive strategies to safeguard sensitive information and maintain operational integrity.
