Operation Highland: Velvet Ant's Decade-Long Espionage Campaign

Operation Highland, attributed to the Velvet Ant cyberespionage group, involved a sophisticated attack that began in 2016 and persisted undetected for a decade. The attackers hijacked the authentication stack of a major organization's isolated network, allowing them full visibility into administrative activities. The intrusion started with the compromise of vulnerable internet-facing systems, followed by a pivot to an air-gapped environment. Velvet Ant exploited CVE-2024-20399, a zero-day vulnerability in Cisco NX-OS, and utilized a modified GS-Netcat reverse shell for remote access. The attackers established a remote execution path into the isolated network, enabling long-term persistence and credential theft. The campaign highlights the challenges of securing critical infrastructure against advanced persistent threats. Current status indicates ongoing investigations and heightened awareness of the threat posed by Velvet Ant.

Key Points: • Velvet Ant maintained a decade-long presence in a critical infrastructure network. • The attack exploited CVE-2024-20399 in Cisco NX-OS for initial access. • A modified GS-Netcat reverse shell was used to establish remote execution capabilities.