THE Velvet Ant group, linked to China, operated undetected within an organization's network for nearly a decade, as uncovered by Sygnia's incident response team in a campaign named Operation Highland. The hackers leveraged tools and tactics to implant a backdoor (VELVETSHELL) into critical infrastructure by exploiting Cisco NX-OS vulnerabilities (CVE-2024-20399) among other techniques. They executed a three-stage infiltration process, bypassing traditional security measures without resorting to phishing.
Notably, they replaced authentication modules with backdoored versions, circumventing normal access controls, and utilizing modified SSH binaries to log credentials. The operation highlights that network isolation does not guarantee security and underscores the need for diligent monitoring of crucial authentication systems.