China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

A China-linked hacking group, tracked by Sygnia as Velvet Ant, has been discovered to have backdoored Linux login software for nearly a decade. The group targeted the Pluggable Authentication Modules (PAM) and OpenSSH components, which are critical for user authentication and system access. By embedding their malicious code within these core system elements, the attackers ensured their persistence and evaded detection by standard security measures. This sophisticated approach allowed them to maintain a hidden presence within targeted networks for an extended period, potentially for up to ten years. The group's objective appears to be deep-seated infiltration, leveraging the fundamental login processes to conceal their activities from security defenders who typically focus on more visible endpoints and network traffic. Sygnia's analysis highlights the advanced tactics employed by state-sponsored actors to achieve long-term stealth and access within critical infrastructure.