The earliest traces go back to 2016: a China-nexus actor quietly altered the very programs that decide who may sign in to Linux systems, hiding inside the login layer where routine cleanup and password resets would not reach.
Sygnia, Velvet Ant, and Operation Highland
Security firm Sygnia, which tracks the actor as Velvet Ant, describes the campaign as Operation Highland. According to Sygnia, the group repeatedly shifts from visible footholds to parts of infrastructure defenders watch less closely — previously turning internet-exposed F5 BIG-IP appliances into internal command servers and, in 2024, exploiting a Cisco NX-OS issue (CVE-2024-20399) to plant a persistence backdoor on switches. Cisco patched CVE-2024-20399 in July 2024, and CISA flagged it as exploited the next day.
Backdooring PAM and OpenSSH: what the actor changed
Rather than deploying new, easily detected malware, the attacker modified trusted login components themselves. Sygnia found altered copies of PAM (the main Pluggable Authentication Module used for logins) and OpenSSH programs. On many machines the main PAM login module was replaced with backdoored copies; researchers identified nine separate versions of those modified modules.
Different variants behaved differently: some accepted a secret password that granted access, while others quietly recorded legitimate usernames and passwords as users logged in. The altered OpenSSH binaries were rigged to log credentials and every command typed during a session, with a hidden switch that allowed the logging to be turned off when needed.
How the group reached isolated networks: staging and web-server bridges
Sygnia notes that the targeted network had no direct internet access, so the actor staged through internet-facing systems to reach it. The intrusion used disguised tools and an internet-facing web server as a bridge, passing commands through that server to open remote sessions deep inside the isolated segment. That chain let the attacker reach gear and systems defenders may assume are protected by network isolation.
Containment and cleanup are different when the login layer is hostile
Because the attacker controlled the code that authenticates users, ordinary containment steps are ineffective on their own. Password resets and killed sessions do not help when “the thing that checks those credentials is working for the attacker,” Sygnia warns. Operation Highland is therefore not a simple patch-and-forget problem: the attacker altered trusted programs, so the remedy is verification rather than only patching, and cleanup must be handled carefully because an incorrect replacement of a login binary can lock administrators out of a live system.
- Watch the login files: monitor PAM and OpenSSH binaries and their key files for any change, and alert on modification.
- Hunt proactively: compare those programs against known-good copies rather than waiting for an alert; check what changed.
- Remove backdoors before resetting passwords, or the new credentials can be stolen the same way; test any replacement in a lab first to avoid locking out admins.
- For the earlier appliance and switch cases: patch CVE-2024-20399 on Cisco Nexus gear, and watch F5 boxes for unexpected outbound connections.
What this means for Linux administrators, network operators, and incident responders
- Linux administrators should add integrity checks for PAM and OpenSSH to regular monitoring and keep known-good copies for binary comparisons.
- Network operators maintaining F5 and Cisco Nexus equipment should follow the Cisco patch guidance for CVE-2024-20399 and monitor load balancers for unexpected outbound connections.
- Incident responders must treat the login layer as a potential persistence mechanism: locate and remove backdoors before performing password resets, and validate replacements in an isolated lab to avoid service-loss during recovery.
The wider lesson Sygnia draws is plain: infrastructure that sits outside normal monitoring still needs integrity checks, and that now includes the login layer. Operation Highland shows a patient approach — compromise a visible target, then move into components defenders assume are trusted — and it leaves a clear, concrete task for defenders: verify what authentication binaries actually are before assuming reset or patch will restore trust.
