Velvet Ant: A Decade-Long Cyber Espionage Campaign Targeting Critical Infrastructure
A sophisticated cyber espionage campaign linked to the China-nexus threat actor Velvet Ant has been uncovered, revealing nearly a decade of undetected infiltration into highly segregated critical infrastructure networks. The operation, detailed in Sygnia’s Operation Highland investigation, demonstrates a multi-stage attack chain designed to compromise authentication systems, ensuring persistence despite routine security measures.
Attack Overview
Velvet Ant’s primary objective was to control authentication mechanisms across targeted environments, allowing the group to maintain access even after password rotations, session terminations, or containment efforts. The campaign, active as early as 2016, employed deeply engineered backdoors in core system components, including modified OpenSSH binaries and tampered PAM modules, to exfiltrate credentials, log commands, and conceal malicious activity.
Intrusion Phases
The attack unfolded in three distinct stages:
-
Initial Foothold (Internet-Facing Servers)
- Attackers compromised internet-exposed systems using custom implants, including a reverse-shell tool (auditdb, based on GS-Netcat) and SOCKS5 proxies.
- Persistence was achieved via systemd units or modified SysVinit scripts, disguised as legitimate services (e.g., a fake Chrome service).
- Malware was engineered to evade detection in process lists.
-
Lateral Movement (Bridging Isolated Networks)
- Compromised Nginx servers and a FastCGI wrapper were used to execute binaries remotely, enabling access to air-gapped IT-to-OT environments without direct internet connectivity.
- Simple HTTP requests served as an execution pathway into segregated networks.
-
Full Authentication Control (Backdoored System Components)
- OpenSSH binaries (sshd, ssh, scp, ssh-keygen) were replaced with malicious variants, allowing attackers to:
- Accept hardcoded backdoor passwords.
- Log interactive commands and authentication attempts in encrypted files (stored under
/usr/share/man9/ph/with MD5-hashed filenames). - Disable logging via a custom
-dflag and masquerade processes as kernel threads.
- PAM modules (pam_unix.so) were backdoored with nine distinct variants, each compiled in separate environments, some erasing traces of the backdoor in memory.
- Older variants used rotating MD5-based backdoor hashes tied to days of the week, indicating iterative refinement.
- OpenSSH binaries (sshd, ssh, scp, ssh-keygen) were replaced with malicious variants, allowing attackers to:
Impact & Risks
The modifications transformed authentication from a security control into a covert persistence mechanism. Traditional remediation such as rotating credentials or removing services became ineffective, as the compromised code itself validated access. Sygnia warns that incorrectly replacing PAM modules or OpenSSH binaries could lock administrators out of critical systems, risking outages in environments where zero-downtime and offline recovery are essential.
The campaign highlights the sustained investment and operational sophistication of Velvet Ant, with tailored implants across multiple Linux distributions and versions, demonstrating a structured build pipeline and long-term strategic targeting.
Source: https://gbhackers.com/modified-openssh-binaries/
Sygnia cybersecurity rating report: https://www.rankiteo.com/company/sygnia
"id": "SYG1781778300",
"linkid": "sygnia",
"type": "Cyber Attack",
"date": "1/2016",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'Critical Infrastructure'}],
'attack_vector': 'Internet-facing servers, custom implants, backdoored system '
'components',
'data_breach': {'data_encryption': 'Yes (MD5-hashed filenames for logs)',
'data_exfiltration': 'Yes (encrypted logs stored in '
'/usr/share/man9/ph/)',
'personally_identifiable_information': 'Potential '
'(credentials, '
'commands)',
'sensitivity_of_data': 'High (authentication data, PII risk)',
'type_of_data_compromised': 'Credentials, authentication '
'logs, interactive commands'},
'date_detected': '2024',
'description': 'A sophisticated cyber espionage campaign linked to the '
'China-nexus threat actor Velvet Ant has been uncovered, '
'revealing nearly a decade of undetected infiltration into '
'highly segregated critical infrastructure networks. The '
'operation demonstrates a multi-stage attack chain designed to '
'compromise authentication systems, ensuring persistence '
'despite routine security measures.',
'impact': {'data_compromised': 'Credentials, interactive commands, '
'authentication attempts',
'identity_theft_risk': 'High (credential exfiltration)',
'operational_impact': 'Risk of system lockouts during remediation, '
'potential outages in zero-downtime '
'environments',
'systems_affected': 'Internet-facing servers, Nginx servers, '
'air-gapped IT-to-OT environments, Linux-based '
'critical infrastructure systems'},
'initial_access_broker': {'backdoors_established': 'Custom implants (auditdb, '
'SOCKS5 proxies), '
'systemd/SysVinit '
'persistence, backdoored '
'OpenSSH/PAM modules',
'entry_point': 'Internet-facing servers',
'high_value_targets': 'Authentication systems, '
'air-gapped IT-to-OT '
'environments'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Traditional remediation (e.g., credential rotation) is '
'ineffective against backdoored system components. '
'Zero-downtime environments require careful handling of '
'authentication systems to avoid lockouts. Long-term '
'persistence mechanisms demonstrate advanced threat actor '
'capabilities.',
'motivation': 'Cyber espionage, long-term persistence, control of '
'authentication mechanisms',
'post_incident_analysis': {'corrective_actions': 'Replace backdoored '
'binaries, enhance '
'monitoring, segment '
'networks, conduct forensic '
'analysis',
'root_causes': 'Compromised internet-facing '
'servers, backdoored system '
'components (OpenSSH, PAM), lack of '
'detection for long-term '
'persistence mechanisms'},
'recommendations': 'Audit OpenSSH and PAM modules for tampering. Replace '
'backdoored components with caution to avoid system '
'lockouts. Implement enhanced monitoring for '
'authentication anomalies. Segment networks to limit '
'lateral movement. Conduct thorough forensic analysis to '
'identify all compromised systems.',
'references': [{'source': 'Sygnia’s Operation Highland investigation'}],
'response': {'remediation_measures': 'Replacement of backdoored OpenSSH '
'binaries and PAM modules (with caution '
'to avoid system lockouts)',
'third_party_assistance': 'Sygnia (Operation Highland '
'investigation)'},
'threat_actor': 'Velvet Ant (China-nexus)',
'title': 'Velvet Ant: A Decade-Long Cyber Espionage Campaign Targeting '
'Critical Infrastructure',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'Modified OpenSSH binaries, tampered PAM modules, '
'custom implants (e.g., auditdb, SOCKS5 proxies)'}