China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
C The Hacker News ·
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key insight
Chinese APT group Velvet Ant has compromised Linux authentication components (PAM/OpenSSH) themselves over nearly a decade to achieve deep persistence , a strategy that evades conventional malware detection and requires integrity verification of core OS components.
Description
Chinese APT group Velvet Ant planted backdoors in PAM and OpenSSH components to maintain undetected access to systems over years. Attackers replaced trusted login modules with compromised versions that enabled access via secret passwords or logged real credentials. Earliest traces date back to 2016. The method used normal administrative activity as cover and required no exploits, allowing the activity to remain hidden. The group pursues a multi-layered persistence strategy: when one access point is discovered, it shifts to less-monitored infrastructure (Cisco NX-OS, F5 BIG-IP) to maintain presence.
Risk score
- strategic relevance
- 0.85
- consensus penalty
- -5.00
Path: strategic
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
VENDOR_MISMATCHVendor not found in alert title −5
- Consensus penalty:
- −5.0
- Total penalty:
- −5.0