Executive Summary
In June 2026, cybersecurity firm Sygnia uncovered that the China-linked threat group known as Velvet Ant had infiltrated Linux systems by backdooring the Pluggable Authentication Modules (PAM) and OpenSSH components, enabling unauthorized access and credential harvesting. This sophisticated attack, which began as early as 2016, involved replacing trusted login programs with malicious versions, allowing the attackers to maintain persistent access and evade detection.
The incident underscores the evolving tactics of nation-state actors targeting critical infrastructure components that are often overlooked, highlighting the need for organizations to implement rigorous integrity checks and continuous monitoring of authentication systems to detect and mitigate such stealthy intrusions.
Why This Matters Now
This incident highlights the critical need for organizations to implement rigorous integrity checks and continuous monitoring of authentication systems to detect and mitigate such stealthy intrusions.
Attack Path Analysis
The attackers gained initial access by backdooring the Linux Pluggable Authentication Modules (PAM) and OpenSSH components, allowing them to intercept credentials and establish persistent access. They escalated privileges by modifying PAM to accept arbitrary credentials, granting them root access. Utilizing their elevated privileges, they moved laterally across the network by accessing other systems using the compromised credentials. They established command and control by using DNS requests over UDP port 53 for communication. The attackers exfiltrated sensitive data by intercepting unencrypted private keys and passphrases. The impact included unauthorized access to systems, potential data theft, and long-term persistence within the network.
Kill Chain Progression
Initial Compromise
Description
The attackers gained initial access by backdooring the Linux Pluggable Authentication Modules (PAM) and OpenSSH components, allowing them to intercept credentials and establish persistent access.
Related CVEs
CVE-2024-20399
CVSS 6.7A command injection vulnerability in Cisco NX-OS software allows authenticated attackers to execute arbitrary commands as root.
Affected Products:
Cisco NX-OS – < 9.3.9
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Modify Authentication Process: Pluggable Authentication Modules
Modify Authentication Process
Hijack Execution Flow: Dynamic Linker Hijacking
Rootkit
Subvert Trust Controls: Code Signing
Unsecured Credentials: Private Keys
Application Layer Protocol: DNS
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
China-linked APT's decade-long Linux PAM/OpenSSH backdoors critically threaten banking systems, enabling lateral movement and data exfiltration bypassing traditional security controls.
Government Administration
Velvet Ant's persistent Linux authentication backdoors pose severe national security risks, compromising government infrastructure through undetectable privilege escalation and command control channels.
Telecommunications
Linux-based network infrastructure vulnerable to APT's authentication backdoors, enabling encrypted traffic interception and east-west lateral movement across critical communication systems nationwide.
Health Care / Life Sciences
Healthcare Linux systems exposed to China APT's authentication persistence, threatening HIPAA compliance through potential data exfiltration and compromised patient information security controls.
Sources
- China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decadehttps://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.htmlVerified
- Velvet Ant, Group G1047 | MITRE ATT&CK®https://attack.mitre.org/groups/G1047/Verified
- Chinese APT group Velvet Ant deployed custom backdoor on Cisco Nexus switcheshttps://www.csoonline.com/article/3493381/chinese-apt-group-velvet-ant-deployed-custom-backdoor-on-cisco-nexus-switches.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to establish persistent access may have been constrained by enforcing strict workload isolation and continuous verification of workload behavior.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing least-privilege access controls and segmenting workloads based on identity.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained by enforcing strict east-west traffic controls and segmenting workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control communications may have been detected and disrupted by monitoring and controlling DNS traffic across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely have been constrained by enforcing strict egress policies and monitoring outbound traffic.
The overall impact of the attack could have been reduced by limiting the attacker's ability to move laterally and exfiltrate data through strict segmentation and controlled egress.
Impact at a Glance
Affected Business Functions
- Authentication Services
- Network Security
- System Administration
Estimated downtime: 14 days
Estimated loss: $500,000
Administrator credentials, user authentication logs, and potentially sensitive internal communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy Threat Detection & Anomaly Response mechanisms to identify and respond to unauthorized modifications in authentication processes.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network activities and detect anomalies.
- • Apply Inline IPS (Suricata) to inspect and block malicious traffic patterns associated with known backdoor activities.
