China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Summary
A China-linked hacking group, identified as Velvet Ant by Sygnia, has been operating undetected for nearly a decade by implanting backdoors within the Linux PAM and OpenSSH components. This allowed the attackers to maintain persistent access, evading standard detection and cleanup methods on targeted networks.
IFF Assessment
The discovery of a long-term, stealthy backdoor by a sophisticated threat actor poses a significant risk to defenders and their systems.
Defender Context
Defenders should be aware of sophisticated persistent threats that leverage deep system access, such as backdoors in core authentication components like PAM and OpenSSH. This highlights the need for robust endpoint detection and response (EDR) that can monitor system integrity at a granular level and perform deep forensic analysis to uncover long-hidden compromises.