- What: China-nexus Velvet Ant backdoored Linux PAM modules and OpenSSH binaries on air-gapped networks, replacing trusted login software to harvest credentials and maintain persistent access since 2016.
- Impact: Password resets and session kills are ineffective when the authentication layer itself is compromised; stolen credentials include usernames, passwords, and every command typed by administrators.
- Fix / mitigation: Compare PAM and OpenSSH binaries against known-good copies, remove backdoors before password resets, monitor for unauthorized file changes, and patch CVE-2024-20399 on Cisco Nexus devices.
- Who's at risk: Organizations running Linux in isolated or air-gapped environments, particularly those with F5 BIG-IP appliances and Cisco Nexus switches previously targeted by Velvet Ant.
A China-nexus threat group spent nine years hidden inside the most trusted part of Linux infrastructure: the login system itself. Sygnia researchers tracking the group as Velvet Ant discovered the actor had systematically backdoored PAM (Pluggable Authentication Modules) and OpenSSH components across air-gapped networks, planting access where standard incident response procedures cannot reach it.
The campaign, designated Operation Highland, represents authentication-layer compromise at scale. Rather than deploying detectable malware, Velvet Ant modified the programs that decide who gets access—turning the guardians into co-conspirators. Sygnia traced activity back to 2016, making this one of the longest-documented persistent access operations against Linux infrastructure.
Backdooring Trust: How PAM and OpenSSH Were Weaponized
Velvet Ant replaced legitimate PAM login modules with backdoored copies across multiple machines. Researchers identified nine distinct variants. Some allowed authentication with hardcoded secret passwords, bypassing all legitimate credential checks. Others ran silently in harvest mode, logging real usernames and passwords as administrators and users logged in normally—no alerts, no traces in standard logs.
OpenSSH binaries received the same treatment. Modified versions captured credentials and logged every command typed during SSH sessions. The actor built in a hidden switch to disable logging selectively, likely activated when their own operations needed to stay off the record. Because these were replacements of trusted system binaries—not additions—file integrity monitoring that only checked for new files would miss them entirely.
When the authentication system itself is compromised, standard containment measures become theater. Forced password resets, killed sessions, and MFA enrollment all flow through the same backdoored PAM modules—meaning new credentials are captured the moment they are created. The actor maintained access through multiple remediation cycles because defenders were resetting passwords checked by software that worked for the attacker.
Bridging the Air Gap
The targeted networks had no direct internet access—a classic air-gap architecture designed to prevent exactly this kind of persistent remote access. Velvet Ant solved the problem with staged infrastructure. They compromised internet-facing web servers first, then used those systems as command-and-control bridges, relaying instructions into the isolated segment.
Commands passed through the exposed server opened remote sessions deep inside the protected network. The technique required custom tooling and patience, but it worked. Once the login layer was compromised, the air gap became irrelevant. Administrators logging in locally were unknowingly feeding credentials to an external actor, session by session.
A Pattern of Infrastructure Persistence
Operation Highland is the third major Velvet Ant campaign Sygnia has disclosed in two years, each targeting a different layer of neglected infrastructure. In 2024, the group turned internet-exposed F5 BIG-IP load balancers into internal command servers. Later that year, they exploited CVE-2024-20399, a Cisco NX-OS vulnerability, to plant backdoors on network switches.
CVE-2024-20399 requires existing administrative access, making it a persistence mechanism rather than an initial entry vector. Cisco patched the flaw in July 2024, and CISA added it to the Known Exploited Vulnerabilities catalog the following day. Velvet Ant's consistent targeting of load balancers, switches, and now authentication software reveals a deliberate strategy: hide in the infrastructure defenders trust by default and monitor least frequently.
Traditional threat hunting looks for malicious additions—new files, unknown processes, suspicious network connections. Velvet Ant inverts the model by modifying what is already there. The backdoored PAM modules and OpenSSH binaries have the same names, same locations, and same apparent functions as the legitimate versions. Only hash comparison or behavioral analysis reveals the substitution.
Not a Patching Problem
Operation Highland does not revolve around a single exploitable CVE. The actor modified trusted programs after gaining access through other means, so the remediation path is verification and surgical removal, not patch deployment. That makes cleanup riskier: replacing a live PAM module incorrectly can lock administrators out of production systems mid-incident.
Sygnia recommends the following response sequence:
- Monitor PAM module files (/lib/security/pam_*.so) and OpenSSH binaries (/usr/sbin/sshd) for any modification; alert on unexpected changes regardless of source
- Compare installed binaries against known-good copies from trusted repositories using cryptographic hashes, not timestamp or size checks
- Hunt proactively by diffing current file states against baseline snapshots; do not rely solely on real-time alerting
- Remove backdoored binaries before forcing password resets—otherwise new credentials are harvested immediately
- Test replacement binaries in isolated lab environments before deploying to production to avoid access lockouts
Additional Velvet Ant Indicators
Organizations that operate F5 BIG-IP appliances or Cisco Nexus switches should cross-reference earlier Velvet Ant tradecraft. Patch CVE-2024-20399 on all Cisco Nexus devices if not already applied. Monitor F5 systems for unexpected outbound network connections, particularly those initiated by management processes. Check for unauthorized configuration changes or newly created administrative accounts on both platforms.
The login layer now joins the list of infrastructure components that require integrity monitoring. PAM and OpenSSH sit outside the scope of most EDR tools and SIEM correlation rules. They are assumed to be correct by design. That assumption is exactly what Velvet Ant exploited for nine years.
Implications for Defense
The broader lesson extends beyond Linux authentication. Any component trusted by default and rarely inspected becomes a high-value persistence target for patient, capable adversaries. That includes firmware, bootloaders, hypervisors, and now the authentication stack. Air gaps provide physical segmentation, but they do not eliminate the need for integrity verification.
Velvet Ant demonstrated that even isolated networks can be reached if the actor is willing to stage through intermediary systems and wait years for value extraction. Once inside, they targeted the one layer defenders are least likely to suspect: the software that grants access in the first place. Defense requires shifting from perimeter monitoring to continuous integrity validation of the infrastructure itself.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us