the china-linked group velvet ant (also tracked as unc3886) was found to have maintained undetected access inside an organization's air-gapped critical infrastructure for roughly ten years, beginning in 2016, using compromised linux authentication libraries and trojanized openssh binaries. a decade of persistence inside a network deliberately isolated from the internet is at the extreme end of known intrusion dwell times.