China-Linked Hackers Infiltrate Linux Login Software for Nearly a Decade
Linux security has faced a sophisticated threat for almost ten years, as China-linked hackers managed to backdoor critical authentication software within the Linux operating system. According to research by cybersecurity firm Sygnia, the group known as Velvet Ant embedded itself deep into the system by modifying key login components such as PAM (Pluggable Authentication Modules) and OpenSSH. This article explores how the attackers remained undetected for so long, the techniques they used, and what lessons organizations can learn to enhance their own Linux security.
How the Attackers Targeted Linux Systems
The Velvet Ant group did not rely on traditional malware or flashy exploits that might trigger alarms. Instead, they carefully altered the very programs responsible for user authentication on Linux systems. By replacing the main PAM login modules with their backdoored versions, the attackers gained the ability to grant themselves access with secret passwords or quietly harvest legitimate credentials as users logged in.
Similarly, the OpenSSH programs—widely used for secure remote logins—were modified to log both credentials and every command entered. The attackers even included a hidden switch, allowing them to disable logging to further evade detection. These changes made it possible to maintain persistent, covert access to targeted Linux environments, making the attack highly effective against organizations that depend on Linux security for their core infrastructure.
Persistence and Evasion Techniques
The compromised networks were particularly difficult to reach, as some had no direct internet access. To overcome this, the attackers staged their entry through internet-facing systems. They used a web server as a bridge, relaying commands and opening remote sessions deep inside isolated network segments. This level of sophistication highlights the attackers’ patience and skill, allowing them to evade common security practices and remain hidden for years.
Traditional security responses such as resetting passwords or terminating suspicious sessions were ineffective because the authentication system itself was compromised. As long as the backdoored PAM and OpenSSH components remained in place, any new credentials could be stolen as easily as the old ones, undermining standard containment and cleanup efforts.
Wider Campaign and Repeated Tactics
Velvet Ant’s campaign against Linux security is not an isolated incident. The group has a history of targeting trusted infrastructure components that are often overlooked. In 2024, Sygnia reported the group using internet-exposed F5 BIG-IP appliances as internal command servers. Later that year, the attackers exploited the CVE-2024-20399 vulnerability in Cisco NX-OS to plant backdoors on switches—again targeting devices that typically escape close scrutiny.
These tactics demonstrate a clear trend: attackers are increasingly aiming for the foundational layers of IT infrastructure, such as load balancers, switches, and authentication software. Because these components are trusted by default and rarely checked for integrity, they offer a stealthy haven for advanced threat actors.
Detecting and Responding to Advanced Backdoors
Unlike typical vulnerabilities that can be patched, the changes made by Velvet Ant involved direct modification of trusted programs after gaining initial access. This means that restoring Linux security requires careful verification of all authentication software. Administrators are urged to monitor PAM and OpenSSH programs and their associated files for any unauthorized changes. Comparing these files against known-good copies is essential, as traditional antivirus or security scanners may not flag such subtle manipulations.
It is critical to remove any backdoors before resetting passwords; otherwise, new credentials could be immediately compromised. Because replacing authentication modules incorrectly can lock admins out of live systems, all changes should be thoroughly tested in a controlled environment first.
Lessons for the Future of Linux Security
The Velvet Ant campaign serves as a stark reminder that even the most trusted parts of IT infrastructure are not immune to attack. Effective Linux security now means extending integrity checks to components like login software, not just perimeter defenses or endpoints. Organizations should implement regular monitoring, maintain known-good baselines for critical files, and treat any unauthorized change as a potential indicator of compromise.
For systems utilizing F5 or Cisco products, it is crucial to apply available patches—such as CVE-2024-20399 for Cisco Nexus gear—and monitor for unexpected outbound connections. Defense teams should be proactive in hunting for evidence of tampering, rather than waiting for alerts that may never trigger.
Conclusion
The long-term infiltration of Linux authentication software by China-linked hackers demonstrates the evolving nature of cyber threats. Linux security requires constant vigilance, advanced monitoring, and a willingness to question even the most trusted system components. By learning from Velvet Ant’s techniques, organizations can better protect their infrastructure and maintain the integrity of their authentication systems.
This article is inspired by content from Original Source. It has been rephrased for originality. Images are credited to the original source.