Chinese Hackers Maintain 10-Year Control Over Authentication Stack

Chinese state-sponsored hackers maintained access to an isolated network for 10 years by hijacking a target organization’s authentication stack, according to a June 13, 2026, report from BleepingComputer. This breach provided the attackers full visibility into administrative activity and long-term persistence within the secure environment.

The attackers gained control over the systems responsible for verifying user identities. This allowed them to monitor and manipulate the authentication flow, which is the process a system uses to confirm a user is who they claim to be before granting access to resources.

By compromising the authentication stack, the hackers didn’t need to rely on traditional malware that might be flagged by antivirus software. They instead operated within the legitimate identity management framework of the organization.

How did the hackers hijack the authentication flow?

An authentication stack consists of the various software layers—such as identity providers, directory services, and token issuers—that manage access. According to BleepingComputer, the attackers took control of this entire sequence.

When a user attempts to log in, the authentication flow validates credentials and issues a security token. By controlling this process, hackers can forge these tokens or intercept valid ones. This technique allows attackers to impersonate any user, including those with the highest level of administrative privileges, without triggering standard password-change alerts.

This method is particularly effective because the activity appears as legitimate traffic to security monitoring tools. The system sees a valid token and grants access, unaware that the token was generated by an unauthorized party.

Why is a decade of persistence significant?

Maintaining access for 10 years is an extreme outlier in cybersecurity. Most organizations detect breaches within months or even weeks. A decade of undetected presence suggests a failure in identity hygiene and a lack of rotating security keys.

This duration allows attackers to map the entire network and understand the organization’s internal patterns. BleepingComputer reports that the hackers had full visibility into administrative activity. This means the attackers could see exactly how the network was managed, which accounts had the most power, and where the most sensitive data was stored.

The persistence was further aided by the network’s isolation. Many organizations assume that “air-gapped” or isolated networks are inherently secure. However, once a perimeter is breached, the lack of internal monitoring in these environments often makes it easier for attackers to remain hidden.

What are the risks of compromised authentication stacks?

The primary risk of a compromised authentication stack is the total loss of trust in identity. When the system that verifies users is compromised, no single login can be trusted. This creates several critical vulnerabilities:

This case mirrors patterns seen in previous Chinese state-sponsored campaigns, such as those attributed to groups like Volt Typhoon, which emphasize “living off the land.” Rather than using custom malware, these actors use built-in system tools and legitimate credentials to avoid detection.

The 10-year window described by BleepingComputer indicates that the attackers did not just steal credentials, but owned the mechanism that creates those credentials. This distinction is critical for defenders, as it means simply changing passwords would not have evicted the attackers.