Chinese Hackers Hijack Auth Flow, Spy on Isolated Network for a Decade

Chinese state-sponsored hackers compromised a target organization's authentication stack and maintained undetected access for close to ten years, with full visibility into every administrative action taken on the network. The campaign, detailed by BleepingComputer on June 13, 2026, represents one of the most sophisticated and longest-running documented persistence operations by a China-linked threat actor.

The attackers didn't just breach the network — they took ownership of the infrastructure that decides who is trusted on it.

The Core Technique: Owning Authentication

Rather than deploying malware at the application or user-space level where defenders are more likely to look, the Chinese hackers targeted the authentication flow itself — the identity verification layer that all other access controls depend on.

By compromising authentication infrastructure, the group achieved:

1. Universal credential visibility — every login attempt across every system passed through attacker-controlled code, exposing credentials in real time
2. Invisible persistence — attacker access looked indistinguishable from legitimate administrator sessions in logs
3. Control over trust decisions — the group could grant or deny access to any account on the network
4. Surveillance of all administrative activity — every privileged action taken by legitimate administrators was visible to the attackers

This is not simply gaining a foothold — it is achieving a position above all other identities on the network.

Ten Years of Undetected Access

The threat actor maintained this level of access for approximately ten years before detection. This dwell time is exceptional even by APT standards and reflects several compounding factors:

The ten-year timeline suggests the attackers were engaged in strategic intelligence collection — patiently accumulating information over years rather than conducting rapid data exfiltration. This is consistent with Chinese state-sponsored espionage objectives that prioritize long-term geopolitical and economic intelligence.

The Isolated Network Paradox

A particularly notable aspect of this campaign is that the compromised network was isolated — designed to be protected from external threats. The attackers either bridged the isolation through a separate initial compromise or established the foothold before the network was fully segmented.

This highlights a critical lesson: network isolation is not a substitute for internal security controls. An isolated network with compromised authentication infrastructure is, in effect, a fully transparent network from the attacker's perspective — every action visible, every credential captured, every privileged session monitored.

Attack Methodology

While specific technical details of this particular campaign are limited in public reporting, Chinese APT groups targeting authentication infrastructure typically employ a consistent pattern:

Phase 1: Initial Foothold

• Spearphishing targeting system administrators or IT staff
• Exploitation of externally-facing services (VPN appliances, web applications, mail gateways)
• Supply chain compromise via a trusted software or hardware vendor

Phase 2: Authentication Infrastructure Targeting

Once initial access is established, the group pivots to authentication components:

• Directory services (Active Directory, LDAP implementations)
• Authentication proxies and identity providers
• Kerberos infrastructure — the Golden Ticket / Diamond Ticket technique
• PAM and SSH components on Linux systems
• RADIUS servers used for network device authentication

Phase 3: Long-Term Persistence

Authentication Ownership → Credential Harvesting → Administrative Surveillance
         ↓
    Passive Collection Over Years
         ↓
    Strategic Intelligence Value

Phase 4: Lateral Movement When Needed

With authentication fully controlled, lateral movement becomes trivial and leaves minimal anomalous traces — the attacker's access appears as legitimate administrator activity.

Why This Is Extremely Difficult to Detect

Authentication infrastructure compromise creates a fundamental detection problem:

Trust anchors are compromised. Security tools that rely on authentication integrity — EDR agent authentication, SIEM event signing, privileged access management systems, multi-factor authentication solutions — can all be manipulated by an attacker who controls the authentication layer.

Log forgery is possible. When the system that produces security logs is itself compromised, the integrity of those logs cannot be assumed. An attacker in this position can suppress their own activity while generating convincing decoy entries.

Behavioral baselines are corrupted. UEBA (User and Entity Behavior Analytics) systems that learn "normal" patterns may incorporate ten years of attacker activity into their baseline, making the compromise invisible to anomaly detection.

The "legitimate" appearance of access. Authentication-layer persistence produces login events that look identical to legitimate administrator sessions — correct account names, expected source addresses (if the attacker routes through the authentication system), and appropriate privilege levels.

Detection Approaches

Despite the difficulty, several detection strategies can surface authentication-layer compromises:

Cryptographic Integrity Verification

# Verify directory services binaries against known-good hashes
# For Active Directory DCs, compare NTDS binaries against known-good installation
Get-FileHash C:\Windows\System32\ntdsai.dll
Get-FileHash C:\Windows\System32\lsass.exe
 
# Compare against values from a verified, clean baseline
# Any deviation warrants immediate investigation

Out-of-Band Authentication Monitoring

Deploy authentication logging to a separate, isolated system that the primary authentication infrastructure cannot reach or modify:

Authentication Events → Out-of-Band Syslog Collector (isolated)
                     → Comparison with in-band logs
                     → Delta analysis for suppressed events

Discrepancies between out-of-band and in-band authentication logs indicate log manipulation.

Kerberos Ticket Analysis

For Active Directory environments, monitor for indicators of Golden/Diamond Ticket usage:

# Monitor for tickets with unusual lifetimes or forged PAC data
# Event IDs 4768, 4769, 4771 — Kerberos ticket activity
# Look for tickets issued outside normal business hours for service accounts
# Check for tickets with lifetimes exceeding domain policy maximums

Network-Based Auth Flow Analysis

Monitor authentication traffic patterns independently of the authentication servers themselves:

• RADIUS / LDAP / Kerberos flows captured at network layer
• Compare authentication volumes against directory service logs
• Alert on authentication activity that appears in network captures but not in server logs

Remediation If Compromise Is Suspected

Authentication infrastructure compromise requires a "nuke from orbit" remediation approach:

1. Assume all credentials are compromised — every password and key that has authenticated against the system must be considered exposed
2. Rebuild directory services on clean infrastructure — do not attempt in-place remediation of compromised auth systems
3. Rotate all Kerberos keys (krbtgt) — twice, with appropriate timing, to invalidate any forged tickets
4. Issue new certificates — treat all existing PKI certificates as potentially tainted
5. Audit all privileged accounts — remove any accounts created during the compromise period
6. Establish a clean authentication baseline — deploy new auth infrastructure with integrity monitoring from day one
7. Deploy out-of-band logging on rebuilt infrastructure to prevent recurrence

The Broader Implication

This campaign demonstrates that sophisticated nation-state actors are increasingly targeting the infrastructure of trust rather than individual systems or data stores. When an adversary owns authentication, they own the entire logical access model of the organization.

For defenders, the implication is clear: authentication infrastructure must be treated with the same rigor as the crown jewels it protects. Integrity monitoring, isolated logging, cryptographic verification, and regular baseline comparison of authentication binaries are not optional — they are foundational controls for any environment with nation-state threat exposure.

References

• BleepingComputer — Chinese hackers hijack auth flow, spy on isolated network for a decade
• CISA — Chinese State-Sponsored Cyber Activity
• NSA/CISA — Detecting and Preventing Web Shell Malware
• Microsoft — Golden Ticket Attacks