Velvet Ant: Surgical Subversion of Critical Infrastructure Authentication Stacks (PAM and OpenSSH)

In a sophisticated display of cyber-persistence, the China-nexus threat actor known as Velvet Ant has been unmasked for executing a near-decade-long campaign of silent infiltration. Rather than focusing on rapid data exfiltration, this highly disciplined group prioritized “low and slow” access, eventually culminating in the surgical replacement of core authentication components—specifically OpenSSH binaries and Pluggable Authentication Modules (PAM)—across highly segregated critical infrastructure networks.

The intrusion lifecycle began by compromising internet-facing edge devices. Once initial access was secured, the operator deployed custom tooling designed to establish covert command-and-control (C2) and sophisticated tunneling capabilities. A primary component of this toolkit was a modified GS-Netcat binary, which was cleverly disguised as a legitimate kernel thread named auditdb. This allowed the actor to maintain encrypted reverse shells back to their relay infrastructure while utilizing a bespoke SOCKS5 proxy to route lateral movement traffic deep into the internal environment.

Furthermore, the actor demonstrated advanced web infrastructure manipulation by reconfiguring Nginx instances. By chaining FastCGI wrappers, they established an HTTP-triggered execution bridge, allowing them to execute binaries on back-end hosts that were otherwise shielded from direct external interaction.

Detailed forensic reconstruction by Sygnia’s incident response team suggests that Operation Highland traces its earliest footprints back to 2016. This timeline exposes a multi-stage attack that successfully bypassed traditional network segmentation by embedding itself within the very mechanisms meant to secure the network.

By staging these modified binaries on edge servers, Velvet Ant created a persistent foothold that enabled them to reach internal critical assets without requiring direct external connectivity to those sensitive segments.

The Subversion of the Authentication Stack

Once the perimeter was breached, the adversary moved toward the ultimate prize: the authentication stack. Sygnia identified nine distinct, backdoored variants of pam_unix.so. Notably, these modules were compiled in separate, isolated build environments, suggesting a highly structured, industrial-grade development pipeline.

These malicious PAM modules functioned with surgical precision, performing one of two roles: either accepting hardcoded “backdoor” passwords or silently harvesting legitimate user credentials and storing them in hidden local repositories. Because PAM serves as the foundational layer for almost all Linux login flows, this modification granted Velvet Ant transparent, universal control. This level of access ensured that even if an organization performed a company-wide password rotation, the actor’s access remained intact.

To complement the PAM tampering, the actor deployed a suite of modified OpenSSH binaries, including ssh, sshd, and scp. These were not merely modified for access; they were weaponized for operational security (OpSec) and intelligence gathering. The binaries were capable of:

• Credential Dumping: Silently capturing and storing user credentials.
• Keylogging: Implementing encrypted command logging.
• Evasion: Disabling SELinux when executed with root privileges and utilizing “timestomping” to manipulate file timestamps and frustrate forensic timelines.
• Session Masking: The addition of a bespoke -d flag to newer ssh binaries allowed the actor to suspend session and credential logging for their own activities, effectively making their presence invisible to standard audit logs.

The harvested data was structured with specific flags to aid the actor’s lateral movement:

• Connection Direction: O (Outgoing) / I (Incoming)
• Authentication Type: B (Kerberos), C (PAM), X (SSH2), etc.
• Success Status: Y (Successful) / N (Unsuccessful)

In older variants, the actor utilized a rotating set of encrypted MD5 hashes as backdoor tokens, changing the required “password” daily to thwart signature-based detection. Additionally, the malicious scp binary was engineered to disable SELinux upon execution as root, ensuring that the exfiltration process was not hindered by mandatory access control policies.

The Remediation Paradox

The architecture of this compromise creates a “remediation paradox.” In a critical infrastructure environment, replacing core authentication modules like PAM or SSH binaries is inherently high-risk. A mistake during the cleanup process can lead to immediate administrator lockout or catastrophic production outages—especially in air-gapped networks where downloading fresh, verified packages is not a trivial task.

Sygnia’s recommended approach to recovery emphasizes a controlled, laboratory-first methodology. This includes per-host profiling to ensure replacement binaries are compatible, serialized deployment to prevent mass failures, and the maintenance of explicit rollback plans to mitigate the risk of accidental self-denial of service.

Defensive Recommendations

Organizations should treat authentication subsystems as the highest-priority attack surface. To defend against similar long-term campaigns, the following controls are recommended:

• Integrity Monitoring: Implement strict File Integrity Monitoring (FIM) focused specifically on /lib/security/ (PAM) and /usr/bin/ (SSH) artifacts.
• Enhanced Visibility: Deploy EDR and telemetry relays capable of bridging the gap into isolated or air-gapped segments.
• Hardened Access: Enforce MFA via hardened jump hosts, disable direct root SSH access, and utilize credential vaulting.
• Strategic Recovery: Ensure that credential rotation only occurs after the underlying persistence (the backdoored binaries) has been fully purged. Maintain immutable, offline backups and “golden” recovery hosts.

Operation Highland serves as a sobering reminder of the capabilities of well-resourced actors. For further technical indicators and deep-dive analysis, security teams are encouraged to review Sygnia’s broader research, including their findings on VELVETSHELL backdoors in Cisco Nexus switches and the exploitation of F5 BIG-IP appliances.