Hackers Hid Inside Linux Login Tools for a Decade
TL;DR: A China-linked hacking group hid for nearly a decade by backdooring core Linux login tools. This gave them persistent access that was extremely difficult to detect and remove, bypassing typical security measures.
Key facts
- Category
- Cybersecurity
- Impact
- Critical
- Published
- Source
- The Hacker News
Full summary
A China-linked group hid for nearly a decade inside the Linux login system itself, backdooring core components to maintain persistent, stealthy access.
A sophisticated, China-linked hacking group hid on target networks for nearly a decade by modifying fundamental login software on Linux systems. The group, tracked by security firm Sygnia as Velvet Ant, created backdoors directly inside Pluggable Authentication Modules (PAM) and the widely used OpenSSH software. These components are the gatekeepers for Linux, managing who can sign in and how they connect securely. By altering this core code, the attackers built a hidden entry point into the system that was deeply embedded in the trusted authentication process, allowing them to operate undetected.
This method of compromise is exceptionally dangerous because it is both stealthy and persistent. Modifying core system files means the backdoor becomes part of the operating system's normal functions and can survive reboots, file cleanups, and even some system updates. For security teams and system administrators, this type of attack is a nightmare scenario. It evades detection from tools that scan for suspicious files, as the backdoor’s activity can be disguised as legitimate login traffic. The attack highlights a critical vulnerability for any organization that relies on Linux infrastructure, forcing a re-evaluation of how to trust core system components.
The discovery of Velvet Ant's tactics serves as a stark reminder of the advanced capabilities employed by nation-state actors. These groups invest significant resources to create intrusions that are nearly impossible to find. For developers, CTOs, and IT teams, the incident underscores the importance of file integrity monitoring and behavioral analysis. It is no longer enough to simply scan for known malware. Organizations must now consider how to verify that the fundamental building blocks of their operating systems have not been tampered with. This attack proves that even the most trusted software can be turned into a hidden weapon.
Related on Notifire
Primary source: The Hacker News