321/69 Monday, June 15, 2026
Researchers have disclosed details of Operation Highland, a long-running cyber espionage campaign linked to the Velvet Ant threat group. The attackers were able to infiltrate and maintain access within target organizations’ networks-including critical infrastructure environments that were isolated from direct Internet connectivity-for up to 10 years. The intrusion reportedly began through Internet-facing systems, which were then used as stepping stones to reach internal networks that were not directly accessible from the outside.
The threat actors employed a variety of tools and techniques to maintain persistence and move laterally throughout compromised environments. These included a modified GS-Netcat-based reverse shell, a SOCKS5 proxy for relaying internal network traffic, and customized Nginx configurations that enabled command execution within segmented networks. Researchers also identified modifications to critical authentication components such as PAM (Pluggable Authentication Modules) and OpenSSH, which were altered to install backdoors capable of stealing user credentials, recording administrator commands, and preserving attacker access even after password changes or session terminations.
Recovering affected systems can be particularly challenging because the attackers replaced multiple core system components with tampered versions. Removing or replacing these files without proper planning could disrupt authentication services, lock administrators out of systems, or negatively impact operational continuity. Organizations are therefore advised to strengthen monitoring and protection of authentication-related components such as PAM, OpenSSH, and Windows LSASS by implementing Endpoint Detection and Response (EDR) solutions, File Integrity Monitoring (FIM), strict administrative access controls, Multi-Factor Authentication (MFA), and continuous monitoring for unauthorized file modifications. In addition, organizations should maintain tested offline backups and establish comprehensive recovery plans to support incident response and system restoration efforts.