Thought Leadership
The hacker group Velvet Ant compromised Linux login systems with backdoors for nearly a decade, allowing them to secretly spy on networks without detection.
Cybersecurity firm Sygnia has uncovered a large-scale espionage campaign linked to the China-associated hacking group Velvet Ant. As part of the so-called Operation Highland, the attackers managed to remain active inside an isolated network segment for almost ten years without being detected. The earliest traces of the intrusion date back to 2016. Instead of deploying conventional malware that could have been detected by standard security scanners, the attackers directly modified trusted operating system authentication components.
The hackers replaced core PAM (Pluggable Authentication Modules) components and OpenSSH services on compromised Linux servers with manipulated copies. Security researchers identified nine different versions of these modified files. Some of the backdoors enabled attackers to gain access using a secret password, while other variants captured legitimate usernames and passwords from authorized employees in plaintext during normal login processes. The modified OpenSSH components also recorded every command entered by users.
Bridging Isolated Networks
Because the targeted network had no direct internet connection, the attackers used an externally accessible web server as a bridge. Through this server, they forwarded commands to establish remote sessions deep inside the isolated segment. Since the authentication layer itself had been compromised, conventional countermeasures such as terminating active sessions or resetting passwords were ineffective. The very system responsible for validating this information had been altered to operate in the attackers’ favor.
This approach matches the known tactics of the Velvet Ant group, which frequently focuses on infrastructure components that receive less monitoring attention. In one 2024 incident, Sygnia discovered that the same group had turned publicly accessible F5 BIG-IP appliances into internal command servers. Later that year, the attackers exploited a vulnerability in Cisco NX-OS, tracked as CVE-2024-20399, to install backdoors on network switches. The vulnerability already required administrative access and was primarily used to maintain long-term persistence.
Linux Infrastructure Requires Extensive Cleanup
Because the attackers modified legitimate system files after gaining access, the incident cannot be resolved through simple software updates or patches. Security analysts emphasize that remediation requires a manual review process in which active PAM and OpenSSH binaries must be compared directly against verified, clean original copies.
Replacing these system files requires extreme precision, as incorrect replacements could completely lock administrators out of the running operating system. The backdoors must also be fully removed before passwords are reset. If user credentials are changed before the login components have been cleaned, the new passwords will immediately be captured again by the attackers’ active logging mechanisms.
(ll)
