A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection.
Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers.
The threat actor’s malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration.
“Liminal Panda has used compromised telecom servers to initiate intrusions into further providers in other geographic regions,” the company’s Counter Adversary Operations team said in a Tuesday analysis.
“The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata, and text messages (SMS).”
It’s worth noting that some aspects of the intrusion activity were documented by the cybersecurity company back in October 2021, attributing it then to a different threat cluster dubbed LightBasin (aka UNC1945), which also has a track record of targeting telecom entities since at least 2016.
CrowdStrike noted that its extensive review of the campaign revealed the presence of an entirely new threat actor, and that the misattribution three years ago was the result of multiple hacking crews conducting their malicious activities on what it said was a “highly contested compromised network.”
Some of the custom tools in its arsenal are SIGTRANslator, CordScan, and PingPong, which come with the following capabilities –
- SIGTRANslator, a Linux ELF binary designed to send and receive data using SIGTRAN protocols
- CordScan, a network-scanning and packet-capture utility containing built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure such as the Serving GPRS Support Node (SGSN)
- PingPong, a backdoor that listens for incoming magic ICMP echo requests and sets up a TCP reverse shell connection to an IP address and port specified within the packet
Liminal Panda attacks have been observed infiltrating external DNS (eDNS) servers using password spraying extremely weak and third-party-focused passwords, with the hacking crew using TinyShell in conjunction with a publicly available SGSN emulator called sgsnemu for C2 communications.
“TinyShell is an open-source Unix backdoor used by multiple adversaries,” CrowdStrike said. “SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to tunnel traffic via this telecommunications network.”
The end goal of these attacks is to collect network telemetry and subscriber information or to breach other telecommunications entities by taking advantage of the industry’s interoperation connection requirements.
“Liminal Panda’s known intrusion activity has typically abused trust relationships between telecommunications providers and gaps in security policies, allowing the adversary to access core infrastructure from external hosts,” the company said.
The disclosure comes as U.S. telecom providers like AT&T, Verizon, T-Mobile, and Lumen Technologies have become the target of another China-nexus hacking group dubbed Salt Typhoon. If anything, these incidents serve to highlight how telecommunications and other critical infrastructure providers are vulnerable to compromise by state-sponsored attackers.
French cybersecurity company Sekoia has characterized the Chinese offensive cyber ecosystem as a joint enterprise that includes government-backed units such as the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), civilian actors, and private entities to whom the work of vulnerability research and toolset development is outsourced.
“China-nexus APTs are likely to be a mix of private and state actors cooperating to conduct operations, rather than strictly being associated with single units,” it said, pointing out the challenges in attribution.
“It ranges from the conduct of operations, the sale of stolen information or initial access to compromised devices to providing services and tools to launch attacks. The relationships between these military, institutional and civilian players are complementary and strengthened by the proximity of the individuals part of these different players and the CCP’s policy.”
