A China-linked threat actor tracked as Velvet Ant spent nearly a decade maintaining persistent access to a targeted network by backdooring PAM (Pluggable Authentication Modules) and OpenSSH — the core Linux components that control who can log in. By compromising the authentication layer itself rather than higher-visibility applications, the group was able to survive routine security clean-up efforts. This matters because the same Linux authentication stack underpins the vast majority of cloud workloads, container hosts, and on-premises infrastructure.

Security Architect’s Take: Audit the integrity of PAM configuration files and OpenSSH binaries across all Linux hosts using file integrity monitoring or a trusted read-only baseline — pay particular attention to shared services and jump hosts where a single compromise yields the broadest access. Consider deploying centralised SSH certificate authorities (e.g. HashiCorp Vault SSH, AWS EC2 Instance Connect) to reduce reliance on static authorised_keys files and make backdoored local auth paths easier to detect.

Original advisory: China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade