thehackernews.com web signal

Velvet Ant Backdoored Linux Login Layer Since 2016

cybersecurity china ai apt china linux authentication

Key insights

  • Velvet Ant corrupted PAM and OpenSSH on an air-gapped network, deploying nine backdoor variants with traces dating to 2016.
  • Password resets and killed sessions were ineffective because the compromised PAM layer was itself authenticating users for the attacker.
  • Sygnia tracked Velvet Ant systematically shifting to less-monitored infrastructure, previously compromising F5 BIG-IP appliances and Cisco NX-OS gear via CVE-2024-20399.

Why this matters

Corrupting PAM and OpenSSH means an attacker receives valid credentials even after full password rotations, making one of the most common IR playbook steps actively counterproductive in a compromised Linux environment. The nearly decade-long persistence on an air-gapped network exposes a gap in standard security monitoring: most environments have no established baseline for what their PAM modules or OpenSSH binaries should contain, and no alerting when those files change. Sygnia's documentation of Velvet Ant escalating from network appliances (F5 BIG-IP, Cisco NX-OS) to OS authentication components signals a deliberate, multi-year strategy of embedding in increasingly foundational infrastructure layers that defenders treat as implicitly trusted.

Summary

China-nexus Velvet Ant spent nearly a decade inside an air-gapped network by corrupting the Linux authentication layer, replacing PAM modules and OpenSSH binaries with backdoored copies. Tracked by Sygnia as Operation Highland, the campaign deployed nine PAM variants, some granting unauthorized access and others capturing real credentials silently as users logged in normally. Password resets and session kills proved worthless because the authentication component itself was working for the attacker. Essentially: (Velvet Ant, Sygnia) the attacker owned the login gate, not just a system behind it. - Backdoor activity traces to 2016, spanning nearly a decade on isolated, air-gapped infrastructure. - Velvet Ant previously hit F5 BIG-IP appliances and Cisco NX-OS gear (CVE-2024-20399), shifting to less-monitored systems each time it was partially discovered. When the trust layer is the implant, conventional incident response has no footing.

Potential risks and opportunities

Risks

  • Linux-based critical infrastructure operators running unverified PAM or OpenSSH binaries face undetected compromise if Velvet Ant has expanded beyond the single disclosed target.
  • IR teams that prescribed password resets without first auditing PAM and OpenSSH file integrity may have failed to fully remediate, leaving clients with ongoing attacker access.
  • CISA and national CERTs face pressure to issue emergency guidance on PAM and OpenSSH integrity verification across government Linux environments, given the decade-long persistence window demonstrated.

Opportunities

  • Sygnia's Operation Highland documentation creates a first-mover advantage in PAM and OpenSSH forensic methodology, likely driving retainer contracts from operators of air-gapped critical infrastructure.
  • File-integrity monitoring and Linux endpoint security vendors gain immediate sales traction as security teams rush to establish PAM and OpenSSH binary baselines after this disclosure.
  • Cisco and F5 BIG-IP vendors, named in earlier Velvet Ant campaigns, can differentiate on hardware-attested firmware integrity as a direct counter to this class of state-sponsored persistence.

What we don't know yet

  • The targeted air-gapped organization's identity is undisclosed, and whether it operates in critical infrastructure such as energy, defense, or government has not been confirmed in public reporting.
  • No formal attribution by any government agency has been reported, leaving the China-nexus classification as an analytical judgment rather than a confirmed state directive.
  • Whether any of the nine PAM variants or OpenSSH modifications Velvet Ant deployed have been identified in environments beyond this single disclosed air-gapped target.

Originally reported by thehackernews.com

Read the original article →

Original headline: China-Linked Velvet Ant Backdoored Linux PAM and OpenSSH Since 2016, Hiding for Nearly a Decade by Corrupting the Authentication Layer Itself