For ten years, someone walked into this network whenever they wanted. They forced no door and cracked no password. They simply became part of the system that decides who gets in. Research by Sygnia, an incident response firm, revealed this week a cyber-espionage operation running since at least 2016: a China-linked group, dubbed Velvet Ant, lived inside an isolated network at a critical infrastructure organization for roughly a decade, with full visibility into everything the administrators did.
What makes this case different is not the duration, although ten years without detection is frightening on its own. It is where they settled in. They did not go after the data or the applications. They went after the trust layer, the mechanism that verifies who is who. Once you control that, you do not need to steal keys: you become the one who makes them.
How they stayed invisible
Instead of planting the usual malware, which modern defenses tend to catch, the attackers rewrote two foundations of the system. First, they replaced Linux's authentication modules (PAM, the software that decides whether a password is correct) with altered versions that accepted secret passwords and quietly harvested the real credentials as they were used. Then they swapped out OpenSSH components (the program that allows secure remote connections to a server) for tampered copies that logged every command typed in every session and stored it all locally.
According to Sygnia, «by extending control to the authentication process by modifying the PAM and OpenSSH components, the threat actor had access to credentials as they were used in the target environment and could bypass the authentication flow». Nine distinct variants of the module were found, each compiled in a separate environment, a sign of a patient, well-resourced operation. Changing passwords did not evict them. Killing sessions did not evict them. Their traffic left through a hidden channel disguised as a legitimate system service.
Why this is your problem too
It may sound distant, a critical infrastructure network somewhere in the world. But the pattern is the same in any organization. Portugal's National Cybersecurity Centre, in its «Risks and Conflicts 2025» report, notes that the time an intruder stays in a network before being detected, the so-called dwell time, is often measured in months or years, and points to the trade in stolen credentials as one of today's trends. Ninety percent of the country's critical-sector organizations, from energy to healthcare, from water to ports, say they feel a heightened risk. This case is the extreme version of that problem: proof that the trust we place in the login can be misplaced, if the login mechanism itself can be swapped out under the hood.
There is a forensic lesson here. When the system that records who entered and what they did is itself compromised, the logs stop being evidence. It is like a security camera controlled by the very person you are trying to catch. So defending a network cannot come down to building higher walls, more passwords, more authentication prompts. It has to include independently verifying that the foundations themselves have not been tampered with.
What to do
For anyone running systems, there are concrete measures that change the game:
- Verify the integrity of authentication binaries. Compare your PAM modules and OpenSSH components against known-good versions, regularly, and investigate any difference.
- Assume compromise. Working from the premise that someone may already be inside changes how you monitor and segment the network.
- Do not rely on password rotation alone. If credentials are captured the moment they are used, changing them just hands the attacker the new ones.
- Invest in detection, not only prevention. What catches a patient intruder is strange behavior over time, not the barrier at the door.
- Watch processes with innocent names. A hidden communication channel usually disguises itself as an ordinary system service.
For ten years, this organization felt secure. It had passwords, it had logs, it had an isolated network. What it did not have was any assurance that the system in charge of verifying identity was still working for it. The uncomfortable question this case leaves with everyone is simple: when did we last check who holds our keys?
Original source: BleepingComputer; research by Sygnia («Operation Highland»).
#StaySafe
🙏🖖
