Introduction

Liminal Panda is a China-linked advanced persistent threat (APT) group identified by CrowdStrike. Since at least 2020 [1] [4] [6] [7] [9] [10], it has primarily targeted telecommunications providers in Southeast Asia and Africa [2] [6]. This group is suspected to be connected to Chinese cyber operations and the strategic objectives of China’s Belt and Road Initiative (BRI) [7], focusing on intelligence collection rather than financial gain [1] [6] [9].

Description

Liminal Panda exhibits significant expertise in telecommunications [8], aiming to collect sensitive network telemetry, participant data [7], call metadata [1] [3] [7] [8] [9] [10], and SMS messages [1] [2] [7] [9] [10]. Their operations are driven by objectives related to signals intelligence (SIGINT) collection, demonstrating a profound understanding of telecommunications networks and protocols [10].

The group actively engages in network-based attacks to gather sensitive data, employing customized tools that exploit the interoperable capabilities of the telecommunications industry [3], enabling breaches across different networks [3]. Tools such as SIGTRANslator and PingPong [8] [10], alongside extensive knowledge of mobile networks and GSM protocols [7], are utilized in their operations. Their tactics include exploiting compromised telecom servers to infiltrate additional providers across various geographic regions, showcasing their ability to navigate inter-provider trust relationships and security policy gaps. Liminal Panda has been observed emulating GSM protocols to facilitate command and control (C2) communications and data exfiltration.

In addition to their bespoke malware tools, Liminal Panda has exploited external DNS (eDNS) servers through password spraying techniques [10], leveraging weak passwords and third-party credentials [10]. They also utilize TinyShell, an open-source Unix backdoor [10], and publicly available tools such as an SGSN emulator for C2 communications.

CrowdStrike has attributed multiple intrusions in the telecommunications sector to Liminal Panda [1] [9], which is responsible for telecom intrusions previously linked to the LightBasin activity cluster. Evidence gathered includes the use of Pinyin strings for encryption keys and passwords associated with Liminal Panda’s remote proxy services [6], suggesting a connection to Chinese-speaking actors [1]. The group’s operational motivations align with signals intelligence (SIGINT) collection [1] [9], focusing primarily on telecommunications providers and monitoring officials and individuals traveling in targeted regions.

To defend against Liminal Panda’s intrusion activities, organizations are advised to deploy advanced endpoint protection solutions [9], implement complex password strategies for SSH authentication [9], minimize publicly accessible services [1] [9], enforce internal network access control policies [1] [9], log and monitor SSH connections for anomalous activity [1], and verify iptables rules [9]. However, definitive attribution to a specific state-backed entity remains inconclusive due to insufficient direct evidence connecting Liminal Panda to known government-affiliated organizations [6]. Recent disclosures indicate that US telecom providers [10], including AT&T [10], Verizon [10], T-Mobile [10], and Lumen Technologies [10], are also targets of another China-linked hacking group known as Salt Typhoon [10], highlighting the vulnerabilities of critical infrastructure providers to state-sponsored attacks and the complexities of attribution in the Chinese offensive cyber ecosystem.

Conclusion

Liminal Panda’s activities underscore the persistent threat posed by state-linked cyber espionage groups to global telecommunications infrastructure. The group’s focus on signals intelligence collection highlights the strategic importance of telecommunications data in geopolitical contexts. Organizations must adopt robust cybersecurity measures to mitigate these threats, including advanced endpoint protection [1] [9], stringent access controls [1] [5] [9], and continuous monitoring. The challenges of attribution in the cyber domain emphasize the need for international cooperation and intelligence sharing to effectively counter state-sponsored cyber threats.

References

[1] https://cxotoday.com/press-release/unveiling-liminal-panda-a-closer-look-at-chinas-cyber-threats-to-the-telecom-sector/
[2] https://www.darkreading.com/threat-intelligence/china-liminal-panda-telcos-phone-data
[3] https://www.metacurity.com/digital-advertising-data-firms-track-movements-of-military-and-intel-workers-overseas/
[4] https://thecyberwire.com/newsletters/daily-briefing/13/220
[5] https://thecyberwire.com/podcasts/daily-podcast/2194/transcript
[6] https://www.infosecurity-magazine.com/news/chinese-apt-targets-telecoms-bri/
[7] https://www.csoonline.com/article/3609560/chinas-cyber-pandas-greifen-telekom-unternehmen-an.html
[8] https://jamesazar.substack.com/p/apple-fixes-two-macos-intel-zerodays
[9] https://kbi.media/press-release/unveiling-liminal-panda-a-closer-look-at-chinas-cyber-threats-to-the-telecom-sector/
[10] https://buaq.net/go-273875.html