Velvet Ant's Operation Highland: China-Nexus APT Spent a Decade Inside an Air-Gapped Network via Auth Stack Hijack

A decade-long espionage operation attributed to the China-nexus Velvet Ant group has ended with the public disclosure of Operation Highland by Sygnia, the Israeli incident response firm that uncovered and remediated the intrusion. From 2016 to 2026, Velvet Ant maintained persistent, undetected access to a physically air-gapped enterprise network at an organisation operating in critical infrastructure by subverting the target’s authentication stack — not by crossing the air gap at the network layer.

How They Did It

Velvet Ant’s approach to the air-gapped network was not to bridge it directly through a network path. Instead, the group compromised systems on the connected corporate network that also authenticated users for the isolated environment, then inserted a modified Nginx web server binary into the authentication infrastructure serving both zones.

The modified Nginx binary functioned normally for authentication traffic — the change was invisible to administrators and users — while also establishing a GS-Netcat reverse shell that connected outbound to attacker-controlled infrastructure over HTTPS. A SOCKS5 proxy chained the connection, allowing Velvet Ant to tunnel traffic through the authentication node and into the air-gapped network behind it.

The technique exploits a common architectural failure: organisations that air-gap operational networks frequently still require user authentication that traverses or originates from a system with both network paths. Authentication proxies, identity stores, and jump hosts are the natural bridges, and Velvet Ant used them accordingly.

What They Had Access To

Ten years of access to an air-gapped critical infrastructure network implies data theft at a scale that cannot be reconstructed from logs. Sygnia’s report confirms that Velvet Ant conducted regular, systematic exfiltration of operational data, engineering documentation, and configuration data from systems within the isolated network. The specific sector and organisation have not been publicly identified, consistent with victim confidentiality agreements.

The group is linked to prior campaigns against F5 BIG-IP appliances and NX-OS devices on high-value network infrastructure — a pattern of targeting network and authentication components rather than endpoints, which reduces exposure to conventional endpoint detection tools.

Why a Decade Went Undetected

The persistence mechanisms Velvet Ant chose are instructive. A modified binary in the authentication stack is resistant to most detection methods that organisations apply to air-gapped networks:

• Endpoint detection was deployed on isolated hosts, not on the authentication infrastructure serving the gap boundary
• Network monitoring focused on the air-gapped segment, not on outbound HTTPS from the authentication proxy, which blended with legitimate administrative traffic
• No integrity monitoring was applied to the Nginx binary or its parent processes
• Log correlation between the corporate network and the isolated segment did not cover the authentication node as a pivot point

The result was a decade-long blind spot that had nothing to do with Velvet Ant’s technical sophistication and everything to do with where the victim concentrated its monitoring.

Recommended Actions

For organisations that rely on air gaps as a primary isolation control:

• Inventory all systems that have authentication relationships with both air-gapped and connected zones — these are the natural pivot points and require the same hardening as the isolated segment itself.
• Apply file integrity monitoring to binaries on authentication proxies, VPN concentrators, and jump hosts — these components are high-value targets precisely because they are trusted infrastructure.
• Monitor outbound connections from authentication infrastructure — legitimate Nginx, PAM, or LDAP proxy processes should not establish outbound reverse shells; baseline normal behaviour and alert on deviations.
• Segment authentication infrastructure where possible — dedicated domain controllers or authentication proxies that serve only the isolated segment, with no connectivity back to the general corporate network, eliminate the pivot path.
• Conduct threat hunts specifically for binary tampering on network-adjacent authentication systems — standard vulnerability scans will not detect a modified legitimate binary.
• Treat air-gapped networks as requiring the same continuous monitoring as connected environments, not reduced monitoring. Isolation eliminates some attack paths; it does not eliminate the need for detection.