A sophisticated hacking group linked to China, known as Velvet Ant, has infiltrated critical components of the Linux login system over nearly a decade, according to findings from Sygnia. The attackers manipulated the PAM and OpenSSH modules, which control user access, allowing them to bypass traditional security measures. They began their operations as early as 2016, leveraging internet-facing systems to penetrate a network that lacked direct internet access.
By altering the trusted login programs instead of deploying new malware, the group maintained a low profile, enabling their activities to resemble routine administrative tasks. This involved replacing the primary PAM login module with compromised versions that either provided unauthorized access through secret passwords or recorded legitimate usernames and passwords. Nine distinct versions of these alterations were identified, alongside similar modifications to OpenSSH, which also included covert logging capabilities.
Normal security measures such as password resets proved ineffective since the compromised login system itself facilitated the attacker's access. In a related incident in 2024, Velvet Ant was observed exploiting vulnerabilities in F5 BIG-IP appliances and Cisco NX-OS switches to establish command servers within secure environments. The persistence of these attacks underscores the necessity for verification of trusted programs, as traditional patching methods may not address the underlying issue of compromised software.