Sygnia uncovers Velvet Ant breach dating back to 2016

Sygnia has published new research on the Velvet Ant hacking group, showing evidence of attacker activity inside a compromised internal network as early as 2016.

The analysis describes a long-running intrusion into a major organisation whose affected network segment had no direct internet connectivity. Investigators found that the attackers reached that environment through a staged access chain that began with internet-facing systems and then moved across the wider IT estate.

Sygnia describes Velvet Ant as a China-nexus threat actor it has tracked in several investigations. In this case, the group appears to have embedded itself in the authentication layer of Linux systems, replacing key PAM modules and OpenSSH binaries with altered versions that enabled continued access, credential theft and command logging.

That approach made conventional detection difficult because the modified components were standard administrative tools and core operating system files, not obviously suspicious programs. The group also managed its own forensic footprint, including by using a custom flag in modified SSH binaries to prevent its activity from being logged.

Attack path

The intrusion unfolded in three stages. First, the attackers established access on internet-facing systems using a modified version of GS-Netcat, a public networking tool, and a separate Perl-based SOCKS5 proxy that enabled tunnelling and lateral movement.

Those tools were disguised to resemble legitimate system processes and were configured to survive reboots. On some hosts, the malware was tied to systemd services; on older machines, it was added to SysVinit startup scripts.

From there, the group appears to have abused Nginx and FastCGI on compromised web servers to create a remote execution path deeper into the environment. A custom binary named uptime was used to open SSH connections into the critical infrastructure network and run scripts on target devices, allowing the attackers to obtain sensitive data without any direct internet link into that segment.

Authentication layer

The central finding concerns changes to PAM and OpenSSH. Investigators found nine distinct malicious variants of pam_unix.so across compromised hosts, each linked to different build environments, suggesting a deliberate and well-resourced operation.

Some versions accepted a hardcoded backdoor password, while others both bypassed normal authentication and harvested valid usernames and passwords from legitimate users. In some cases, those credentials were written to hidden files on infected systems.

Investigators also found modified OpenSSH components, including ssh, sshd, scp and, in some cases, ssh-keygen. These versions captured login credentials, logged shell commands and, in one case, could disable SELinux when run as root.

Older and newer variants of the altered OpenSSH suite were present. One older variant used rotating MD5 hashes tied to days of the week as part of its backdoor authentication method, while credential and command logs from that version helped investigators identify activity dating back to 2016.

The attackers also added their own public keys to authorised_keys files on compromised servers, giving them another way back into the systems even if one persistence method was removed.

Cleanup risks

Remediation was unusually risky because the attackers had compromised the same login components administrators relied on to manage production systems. Replacing malicious services is often straightforward, but replacing PAM modules and OpenSSH binaries on critical Linux hosts carries the risk of locking defenders out or causing operational outages.

The environment made that challenge harder. Most systems in the affected segment had no internet access, which meant defenders could not pull clean packages directly from trusted repositories or resolve dependencies live.

The server estate also spanned multiple Linux distributions and versions, so replacement components had to be matched carefully to each host. Sygnia built a lab to test the recovery process in advance, then profiled each machine before remediation and immediately validated SSH and authentication health.

Chen Tiktin, Incident Response Team Leader at Sygnia, wrote: "When Sygnia's IR team began reconstructing the intrusion that would become known as Operation Highland, the earliest forensic artifacts dated back to 2016. What they uncovered was not a recent breach but a near-decade of undetected presence inside an internal network - a network the attacker had no direct path into, and reached anyway."

The case highlights the limits of signature-based detection and alert-driven security operations when attackers alter trusted system components rather than deploy obviously malicious files. Sygnia recommended closer monitoring of PAM modules, OpenSSH binaries, SSH configuration, privileged authorised_keys files and other authentication-related components on critical systems.

Tiktin wrote: "The keylog artifact dating back over five years illustrates the scale of what's possible when a threat actor of this sophistication operates undetected - and why continuous, hypothesis-driven inspection of authentication infrastructure is non-negotiable in high-sensitivity environments."