Full Report
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary cleanup could not reach it. The network it targeted had no
Analysis Summary
# Threat Actor: Velvet Ant
## Attribution & Identity
- **Name:** Velvet Ant
- **Attribution:** China-nexus threat group (Chinese state-sponsored).
- **Known Associations:** Sygnia tracks this actor specifically for their deep-persistence operations on network infrastructure and Linux environments.
## Activity Summary
- **Operation Highland (2016–2026):** A decade-long campaign where the actor remained undetected within a targeted organization's Linux login system.
- **CVE-2024-20399 Exploitation (2024):** Exploitation of a Cisco NX-OS vulnerability to plant backdoors on network switches.
- **F5 BIG-IP Compromise (2024):** Infiltration of internet-exposed load balancers to serve as internal command-and-control (C2) nodes.
## Tactics, Techniques & Procedures
- **Persistence via Binary Modification:** Instead of traditional malware, the actor replaced trusted system binaries with backdoored versions (PAM and OpenSSH modules) to bypass detection.
- **Credential Access:** Modified login modules recorded legitimate usernames and passwords as users signed in.
- **Backdoors:** Implementation of secret passwords ("master keys") in PAM modules to grant unauthorized access to any account.
- **Administrative Obfuscation:** Usage of a hidden "off switch" in OpenSSH to stop command logging when the attacker wanted to avoid leaving a trail.
- **Pivot/Bridge Systems:** Used internet-facing web servers as staging points to tunnel commands into isolated, non-internet-connected network segments.
- **Exploitation for Persistence (Post-Compromise):** Exploiting vulnerabilities like **CVE-2024-20399** (which requires prior admin access) specifically to maintain long-term access to hardware infrastructure.
## Targeting
- **Sectors:** Critical Infrastructure, Government, and Organizations utilizing enterprise-grade networking and Linux environments.
- **Geography:** Primarily focused on "East Asian" regions/interests based on related 2024 reporting, though likely global.
- **Victims:** A specific, unnamed organization where they remained hidden for nearly 10 years.
## Tools & Infrastructure
- **Backdoored Components:** Pluggable Authentication Modules (PAM) and OpenSSH.
- **Appliances:** Cisco NX-OS switches, F5 BIG-IP appliances.
- **Malware:** Custom backdoored copies of legitimate utilities (9 separate versions of PAM modules identified).
- **C2:** Internal F5 boxes repurposed as command servers; internet-facing web servers used as bridges.
## Implications
- **High Stealth/Low Signal:** By modifying OS-level login components rather than dropping files, the actor avoids EDR and traditional scanners.
- **Resistance to Containment:** Standard remediation—such as password resets—are ineffective because the actor controls the mechanism that validates the new passwords.
- **Infrastructure Focus:** The group specializes in "edge" devices (switches, load balancers) that often lack robust integrity monitoring compared to endpoints.
## Mitigations
- **Integrity Monitoring:** Implement File Integrity Monitoring (FIM) for critical Linux login components (PAM modules, SSH binaries).
- **Binary Verification:** Regularly compare production OS binaries against known-good "Golden Image" hash values rather than relying on timestamp analysis.
- **Hardware Patching:** Apply urgent updates for Cisco NX-OS (**CVE-2024-20399**) and F5 BIG-IP systems.
- **Zero-Trust Logic:** Monitor for unexpected outbound connections from infrastructure appliances (e.g., F5 boxes talking to internal servers unexpected in their topography).
- **Recovery Sequence:** Ensure backdoors are removed from system binaries *before* forcing a network-wide password reset to prevent re-capture of new credentials.