Ethical Hacking News
A China-linked hacker group has been hiding in plain sight, backdooring Linux login software to remain hidden for nearly a decade. The operation, dubbed Operation Highland, showcases the cunning and persistence of these hackers, who managed to evade detection by embedding themselves within the trusted login layer of Linux systems.
Discover how this sophisticated attack was possible and what it means for the future of cybersecurity as we delve into the details of Operation Highland.
The China-linked hacker group Velvet Ant has been found to have backdoored Linux login software for nearly a decade. The attackers embedded themselves within the trusted login layer of Linux systems, evading detection. The attack began in 2016 and used modified PAM and OpenSSH components to plant their own access points. The attackers did not introduce new malware but instead modified existing login programs themselves. The operation highlights the importance of maintaining the integrity of critical infrastructure systems. The attack showcases the cunning and persistence of hackers, who use tactics such as using internet-facing systems to bypass security measures. The operation emphasizes the need for verification over patching when dealing with vulnerabilities.
The recent revelation by cybersecurity firm Sygnia, which tracks a group as Velvet Ant, has exposed a shocking instance of a China-linked hacker group backdooring Linux login software to remain hidden for nearly a decade. The operation, dubbed Operation Highland, showcases the cunning and persistence of these hackers, who managed to evade detection by embedding themselves within the trusted login layer of Linux systems.
The attack began in 2016, when the Velvet Ant group started altering the PAM (Pluggable Authentication Module) and OpenSSH components that govern user access. By replacing these modules with backdoored versions, the attackers were able to plant their own access points, making it challenging for defenders to detect and remove them. The most remarkable aspect of this operation is the fact that the attackers did not introduce new malware but instead modified the existing login programs themselves.
According to Sygnia, there were nine distinct versions of the backdoored PAM and OpenSSH components, each with its unique set of modifications. Some modules allowed access with a secret password, while others quietly recorded real usernames and passwords as users logged in. The attackers also employed a hidden switch within the OpenSSH programs to turn off logging when needed, making it even more difficult for defenders to detect their presence.
The use of internet-facing systems as a bridge to reach isolated networks without direct internet access was another clever tactic employed by the Velvet Ant group. By utilizing disguised tools and an internet-facing web server, they were able to bypass security measures and gain access to the targeted network.
The implications of Operation Highland are significant, and they highlight the importance of maintaining the integrity of critical infrastructure systems, including login layers. Traditional containment strategies like password resets and killed sessions are ineffective when the very system that checks credentials is compromised by attackers.
This operation also underscores the persistence and adaptability of Velvet Ant group. Each time defenders find a foothold, the group moves to gear they watch less and sets up in new locations. This trend is exemplified by a 2024 case where Sygnia found the same actor turning internet-exposed F5 BIG-IP appliances into internal command servers.
The operation also serves as a warning about the importance of verification over patching when dealing with vulnerabilities. Unlike traditional approaches that rely solely on applying patches, this scenario emphasizes the need for careful cleanup and verification to ensure that any replacements or modifications are secure.
In conclusion, Operation Highland highlights the cunning and persistence of China-linked hackers, who managed to evade detection by embedding themselves within Linux login systems. It serves as a reminder of the importance of maintaining the integrity of critical infrastructure systems and the need for defenders to adopt more sophisticated strategies to detect and remove such backdoors.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Insidious-Operation-Highland-A-China-Linked-Hackers-Decade-Long-Deception-of-Linux-Login-Systems-ehn.shtml
https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html
Published: Fri Jun 12 16:02:27 2026 by llama3.2 3B Q4_K_M
