Velvet Ant spent 10 years inside an air-gapped network by trojaning Linux authentication

A Chinese cyberespionage group known as Velvet Ant maintained covert access to an air-gapped critical infrastructure network for approximately ten years, beginning in 2016 and discovered only in 2026, according to research by Sygnia, reported by BleepingComputer. The operation — dubbed Operation Highland — illustrates that physical network isolation alone is not sufficient protection against a patient, technically sophisticated adversary.

What is an air-gapped network, and why does it matter?

An air-gapped network is one that has no connection to the internet or any external network. Traffic cannot flow in or out over a standard network link. Organizations running power grids, industrial control systems, classified government networks, or sensitive financial infrastructure often rely on air gaps as their last line of defense — the assumption being that without a network path, remote attackers simply cannot reach those systems.

Operation Highland shows that assumption can be wrong, given enough time and determination.

How Velvet Ant bridged the gap

The attack unfolded in stages, each one extending the group's reach deeper into the target organization:

• Stage 1 — Internet-facing foothold: Velvet Ant first compromised servers that were exposed to the public internet, establishing reverse shells and SOCKS5 proxies to move laterally through the organization's regular internal network.
• Stage 2 — Crossing the air gap: The attackers then built an HTTP-to-SSH execution bridge — a relay that forwarded commands from the internet-connected network into the isolated environment. This is the mechanism that physically crossed the air gap: the isolated network had no internet access, but an internal host could relay instructions from one side to the other.
• Stage 3 — Trojaning the authentication stack: Once inside the isolated network, Velvet Ant replaced critical Linux system binaries. Specifically, they swapped out the legitimate PAM (Pluggable Authentication Modules) library and OpenSSH executables — ssh, sshd, and scp — with modified versions containing hidden backdoors.

Why replacing PAM is so dangerous

PAM is the layer of Linux that handles authentication for virtually every login mechanism: SSH logins, local console access, sudo commands, and more. By replacing PAM with a trojaned version, attackers embed themselves into the authentication process itself rather than sitting as a separate process that could be detected and killed.

The practical consequences are severe. Because the backdoor lives inside the authentication stack, changing passwords does nothing — every new credential is harvested at the moment it is used to authenticate. The attackers gained full visibility into all administrative activity across compromised hosts, collecting credentials from every login and every command executed under privileged sessions. Even a full password rotation would feed fresh credentials directly to the attackers.

Replacing OpenSSH binaries compounds this: the trojaned sshd could silently accept attacker-controlled keys or log all session content, while appearing to function normally to system administrators.

Ten years undetected

The duration is as significant as the technique. Velvet Ant maintained this access from 2016 through to its discovery in 2026. That kind of persistence is only possible when the implant is deeply embedded in trusted system components, blends with legitimate system behavior, and operates in an environment where binary integrity checks are not routine.

Air-gapped environments often receive less security scrutiny than internet-connected ones, precisely because they are assumed to be safe. That assumption creates a detection blindspot.

What defenders should take from this

Operation Highland points to several gaps that are common even in high-security environments:

• Binary integrity verification: Critical Linux binaries — especially PAM and SSH components — should be cryptographically verified against known-good hashes. Tools like aide, tripwire, or dm-verity on embedded systems can detect unauthorized replacements.
• Segmentation is not a moat: Air gaps slow attackers; they do not stop them. Any host that bridges two network segments — even indirectly — is a potential crossing point.
• Audit logging that cannot be modified by the host: If the logging system runs on the same compromised host, a trojaned PAM or SSH binary can suppress or falsify entries. Append-only remote syslog to an out-of-band receiver is essential.
• Assume long dwell times: Threat hunting in isolated environments should not assume that absence of recent alerts means absence of compromise. Velvet Ant was inside for a decade.

The Velvet Ant operation is a reminder that adversaries with sufficient motivation and time will find ways around physical isolation. The gold standard of air-gap security only holds if the software running inside that perimeter is continuously verified to be what it claims to be.