China-Linked Velvet Ant APT Backdoored Linux Login Software for a Decade

A China-nexus advanced persistent threat tracked as Velvet Ant by incident response firm Sygnia maintained covert access to a target network for nearly a decade by compromising the Linux authentication stack itself, in an operation dubbed "Operation Highland." Rather than deploying conventional malware, the actor tampered with the core login components—PAM (Pluggable Authentication Modules) and OpenSSH—that govern who can sign in to Linux systems. Sygnia researchers identified at least nine distinct backdoored variants dating back to 2016, some accepting a secret password for covert entry while others silently harvested real usernames and passwords at login. The OpenSSH binaries were similarly modified to log every credential and command, with a hidden toggle to suppress logging when needed.

Reaching the isolated target segment required staged lateral movement. Because the affected network had no direct internet connectivity, Velvet Ant first established footholds on internet-facing systems, then used a compromised web server as a relay to pivot inward and open remote sessions on systems deep inside the air-gapped environment. This playbook mirrors the group's prior tradecraft: in 2024, Sygnia observed the same actor converting internet-exposed F5 BIG-IP appliances into internal command-and-control servers, and later exploiting Cisco NX-OS flaw CVE-2024-20399 to persist on network switches—a bug Cisco patched in July 2024 and CISA added to its Known Exploited Vulnerabilities catalog the following day. The recurring pattern is exploitation of gear defenders rarely scrutinize—load balancers, switches, and now the authentication layer itself.

The operational implications are severe. Because the attacker modified the trusted login programs rather than dropping discrete malware, standard detection and containment measures are largely ineffective. Password resets yield nothing if the modified PAM module captures the new credentials on entry—defenders should run compromised passwords through an email breach checker and rotate them only after the backdoor is removed, and they should immediately audit any session credentials against a password checker to assess exposure. Organizations should also validate outbound connectivity from supposed isolated segments using a port scanner to identify unauthorized relay paths. Sygnia's guidance emphasizes integrity verification over patching: compare PAM and OpenSSH binaries against known-good cryptographic hashes, alert on any modification to these critical files, and never replace them on a live system without testing—or risk locking administrators out entirely. Velvet Ant's decade-long dwell time underscores that the most damaging intrusions are the ones hiding in plain sight inside the tools defenders trust by default.