Ten Years Inside an Air-Gapped Network: Velvet Ant's Operation Highland

The air gap is the control everyone reaches for when the data is too important to lose. No internet route in, no route out, therefore no remote attacker — that is the mental model that justifies isolating a critical-infrastructure network in the first place. Operation Highland is the case study that breaks it. According to Sygnia's report published on June 13, 2026, the China-nexus group tracked as Velvet Ant lived inside a large organisation's isolated critical-infrastructure network for roughly ten years — forensic artefacts date the earliest activity to 2016 — and was watching every administrative login and every command typed for most of that decade. They did it without a single novel exploit, without dropping anything a malware scanner would flag, and without any direct connection to the segregated network ever existing — a campaign BleepingComputer reported on the same day the research went public.

This article is about how an air gap fails in practice, why the failure is invisible to the host-based controls most isolated networks rely on, and what is actually left to detect it with. The short version: the attacker compromised the one thing every Linux host trusts by default — the authentication stack itself — and the only place their activity ever became observable was on the wire.

The air gap that wasn't

An air gap is a network-topology claim: there is no path between the sensitive network and the outside world. Velvet Ant did not break that claim by finding a hidden cable. They built a logical path on top of trusted infrastructure that nobody was inspecting.

Per Sygnia's analysis, the bridge worked like this. An internet-facing Nginx server was configured to proxy requests to a compromised backend. That backend ran a FastCGI wrapper (fcgiwrap) which executed a custom binary the attacker had planted, named to look like a routine uptime utility. The binary opened SSH connections to targets inside the isolated network based on parameters carried in an HTTP POST. The chain is worth stating plainly: a normal-looking HTTP request hit a normal-looking web server, and three hops later a command executed on a machine that, on the network diagram, had no way to reach the internet.

Auditor: "Show me the firewall rule that lets the DMZ talk to the OT segment." Engineer: "There isn't one. That's the point — they're air-gapped." Auditor: "Then how did a POST to the public web server end up running bash on a PLC controller?"

That exchange is the entire failure. The air gap was real at the routing layer and meaningless at the application layer, because the attacker turned trusted, internet-facing infrastructure into a relay. No rule was broken. A rule was composed out of pieces nobody was looking at together.

Backdooring the authentication stack: no exploit to catch

The reason this persisted for a decade is that Velvet Ant did not attack the network's defences — they attacked its trust. The persistence lived inside the components that every Linux host uses to decide who is allowed in and what they may do.

• Pluggable Authentication Modules (PAM). Sygnia identified nine distinct backdoored pam_unix.so variants, each compiled in a separate environment. One class simply accepted a hardcoded backdoor password and wiped it from memory; another accepted the password Pamauth@123456 and logged every real username and password it saw to /usr/sbin/.ssh.log. RPATH strings in the binaries even leaked the developers' build paths, like /home/kevin/Desktop/Linux-PAM-{version}/libpam/.libs.
• OpenSSH. Modified ssh, sshd and scp binaries captured credentials into encrypted files at paths such as /usr/share/man9/ph/.ph.man, keylogged every command, stored it encrypted in timestomped directories, and exposed a custom -d flag the operator could use to suppress their own logging during a session.
• Tunnelling tools that look like daemons. A modified GS-Netcat reverse shell sat in /usr/sbin/ as auditdb, masquerading as the kernel thread [khubd] and reaching out via the Global Socket Relay Network. A custom Perl SOCKS5 proxy ran disguised as smbd -D, enabling lateral movement host to host.

Sygnia's own framing is the line every defender should sit with: "the attacker had no novel exploit to catch; no clearly malicious binary dropping into a monitored directory." A backdoored pam_unix.so behaves perfectly normally for legitimate users. It generates no anomalous log entry — it is the thing that writes the logs. There is no CVE to patch, no signature to match, no EDR alert to fire, because the malicious behaviour is indistinguishable from the most routine event on the system: someone logging in.

Why the air gap is a detection problem, not a security control

This is the conceptual shift Operation Highland forces. An air gap is sold as prevention. In reality it is a bet that you will never need to detect anything, because nothing can get in. Once that bet is lost — and it was lost here through trusted-infrastructure relaying, not a topology break — the isolated network is the worst place to be blind, because it is precisely where organisations skimp on monitoring on the theory that it is unreachable.

Velvet Ant has a documented history of exactly this patience. In an earlier campaign Sygnia disclosed in June 2024, the same actor maintained roughly three years of access by hiding inside two internet-facing F5 BIG-IP load balancers — adding their VELVETSTING and VELVETTAP tools to /etc/rc.local and pivoting from the appliance to internal PlugX-infected file servers. The pattern repeats: live inside the network device or the system component that is trusted by default and rarely inspected — the load balancer, the switch, the login library — and wait.

Set the dwell time against the industry baseline. Mandiant's M-Trends puts the global median dwell time at roughly eleven days. Velvet Ant's was about 3,650. The gap is not a tuning problem you fix with a faster SIEM rule. It is the difference between a control that watches and a control that assumes.

The control they relied on	What it was supposed to do	Why it saw nothing
Air-gap topology	Prevent any remote access	Bypassed via Nginx → FastCGI → SSH relay over trusted infrastructure
Host EDR / AV	Flag malicious binaries	No malicious dropper; backdoors live inside pam_unix.so, sshd
Authentication logs	Record who logged in	Written by the backdoored auth stack; attacker logins look legitimate
Patch / vuln management	Close exploitable CVEs	No exploit used — the persistence is trust abuse, not a vulnerability
Periodic audit	Verify segmentation holds	Point-in-time; the relay is a runtime behaviour, invisible between audits

Everything in the left column lives on, or trusts, the compromised host. None of it survives an adversary who owns the authentication layer.

Watching the wire inside the air gap

Here is the asymmetry Velvet Ant could not engineer away. They silenced the logs, hid inside trusted binaries, and produced no malware artefact — but they still had to move. Every backdoored login that mattered, every lateral hop through the smbd -D SOCKS5 proxy, every uptime-binary SSH connection from the bridge into the segment, every GS-Netcat callout to the relay network — all of it is a network conversation. The attacker controlled what the hosts recorded about themselves. They did not control the shape of the traffic between hosts.

And that traffic has a shape that routine administration does not produce. On an isolated network that is supposed to have a small, predictable set of internal flows, the tells are stark:

• a "web" server in the DMZ opening SSH sessions into the segmented network on a schedule no human set;
• one internal host SOCKS-proxying connections onward to many others in a fan-out a real administrator never generates;
• long-lived encrypted sessions to a host that, historically, only ever received traffic;
• a daemon named like a Samba process speaking a protocol that is not SMB.

This is the exact problem Zero Hunt's AI Traffic Analysis pillar was built for. A proprietary deep-learning model, trained on billions of PCAP sequences, runs four parallel inference heads — suspicious traffic, malware classification, attack-type identification, application fingerprinting — directly on the appliance GPU at 2.7+ Gbit/s. It does not need a signature for Velvet Ant; it scores behaviour. The relay path from DMZ into the isolated segment, the SOCKS5 lateral fan-out, the encrypted tunnel that does not match the application claiming to own the port — these are anomalies on the wire regardless of how clean the host looks, because the detector is not on the host the attacker owns.

The deployment detail is what makes this usable in the environment Velvet Ant chose. Zero Hunt runs as a 100% on-prem appliance with no cloud callbacks, no external telemetry, and full air-gap support — updates delivered by signed offline bundle. A detection or validation tool that phones home to a SaaS backend cannot run in a genuinely isolated network at all; it is excluded by the same property the defender is trying to protect. The irony of Operation Highland is that the air gap kept out the defensive tooling more reliably than it kept out the attacker.

The front half of the story belongs to the second pillar. The whole intrusion turned on an internet-facing Nginx/FastCGI path that could be made to reach inward, and on an authentication stack nobody had assumed-breach-tested. Zero Hunt's 10-agent generative pentest validates that surface continuously rather than at audit time: the Recon and Exploit agents probe the exposed web tier for exactly the request-relaying conditions the bridge depended on, and the Pivot and Post-Exploit agents rehearse the path from a foothold into the supposedly isolated segment — finding the logical route across the air gap before a patient adversary does. Every chain is backtested in the AI Gym before it runs, and every finding is ECDSA-signed for the audit trail an essential-entity regulator will eventually ask for.

An air gap stops a packet. It does not stop a relay built from trusted infrastructure, and it does not detect a tenant who has owned the login system for a decade. If your isolated networks are protected by topology and a yearly audit, that is the conversation to have; for how the air-gapped appliance is architected, see the platform overview. The adjacent failure mode — long, silent dwell measured in years rather than days — is covered in our analysis of the 858-day dwell time at UNMC.