Velvet Ant Hid in Linux Auth Stack for Nearly a Decade

Incident responders at Sygnia have uncovered one of the longest-running cyberespionage campaigns on record. A China-linked threat group called Velvet Ant spent nearly a decade inside a critical infrastructure organization's network, embedding itself so deeply into the authentication process that standard containment measures were useless.

The campaign, dubbed Operation Highland, began in 2016. When Sygnia's team started reconstructing the intrusion, the earliest forensic artifacts were already eight years old.

How Velvet Ant Hijacked Authentication

Rather than deploying conventional malware that security tools might flag, Velvet Ant went after the foundation of Linux access control: PAM (Pluggable Authentication Modules) and OpenSSH.

On compromised machines, the attackers replaced legitimate PAM login modules with backdoored versions. Sygnia discovered nine distinct variants, each with slightly different capabilities. Some allowed access via a hardcoded secret password. Others silently logged every username and password as users authenticated.

OpenSSH components got the same treatment. The trojanzed versions recorded all typed commands and credentials, with a hidden switch that let operators disable logging when needed.

The result was total visibility. As Sygnia put it: "Administrative activity became fully observable—every login, every command executed" across affected systems.

Reaching the Air-Gapped Segment

The target network included an "air-gapped" segment with no direct internet path. Velvet Ant solved this by using an internet-facing web server as a bridge, passing commands through modified Nginx configurations and FastCGI wrappers to open remote sessions deep inside the isolated environment.

They deployed a disguised GS-Netcat reverse shell and custom SOCKS5 proxies to maintain connectivity. A binary innocuously named 'uptime' served as additional persistence.

This pattern mirrors techniques we covered in the OP-512 campaign, where Chinese operators used IIS web shell frameworks to maintain access across segmented enterprise environments.

Why Standard Containment Failed

When defenders find an intruder, the typical response is to reset passwords, kill sessions, and rotate credentials. None of that works when the authentication system itself is compromised.

Password resets and forced logouts mean nothing when the module checking those credentials is logging the new password as it's entered. Velvet Ant had embedded access at the authentication layer, not just on specific machines or accounts.

This approach reflects a broader trend in nation-state tradecraft—moving away from detectable implants toward living inside trusted components that defenders assume are clean.

A Decade of Evolution

Velvet Ant has a history of adapting when defenders catch one foothold. In a 2024 incident, Sygnia found the same group turning internet-exposed F5 BIG-IP appliances into internal command servers. Later that year, they reported Velvet Ant exploiting CVE-2024-20399, a Cisco NX-OS flaw, to plant backdoors on network switches.

The pattern is consistent: each time defenders locate and remove one persistence mechanism, Velvet Ant pivots to infrastructure that receives less scrutiny.

This evolution parallels what we saw with Phantom Taurus, another Chinese APT that demonstrated similar adaptability across campaigns targeting African and Asian organizations.

What Organizations Should Do

Sygnia's recommendations focus on treating authentication components as critical security assets:

• Monitor PAM and OpenSSH integrity — Verify files against known-good baselines, not just against previous scans that might already be compromised
• Deploy file integrity monitoring on authentication-related binaries and configurations
• Assume password resets are compromised until you've verified the authentication stack is clean
• Patch CVE-2024-20399 on any Cisco Nexus equipment in your environment
• Inspect F5 BIG-IP devices for unexpected outbound connections or configuration changes
• Implement out-of-band authentication verification for critical administrative access

The uncomfortable reality is that most organizations trust their login systems by default. Velvet Ant exploited that trust for nearly ten years.

Why This Matters

Operation Highland represents the nightmare scenario for defenders: an adversary patient enough to compromise fundamental infrastructure rather than deploy flashy malware, and disciplined enough to maintain access through multiple detection efforts over a decade.

For organizations running critical infrastructure, the message is clear. Authentication components deserve the same scrutiny as endpoint security tools. If those foundations are compromised, nothing built on top of them is trustworthy.

Understanding threats like this requires studying how nation-state actors operate over extended timelines. For deeper context on Russian and Chinese cyber operations, our cybersecurity books collection includes essential reading on Sandworm and other APT campaigns.