Full Report
A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection. Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications
Analysis Summary
# Threat Actor: Liminal Panda
## Attribution & Identity
- **Attribution:** China-linked cyber espionage group.
- **Tracking Name:** Liminal Panda (by CrowdStrike).
- **Associated Groups/Previous Misattribution:** Some intrusion activity was previously documented and attributed to LightBasin (aka UNC1945) in October 2021, but CrowdStrike's review identified Liminal Panda as a distinct, new actor possibly operating on the same contested network.
- **Contextual Grouping:** Part of the broader Chinese offensive cyber ecosystem involving state actors (MSS, MPS) and civilian/private entities ("Chinese-nexus APTs").
## Activity Summary
- Targeting telecommunications entities in South Asia and Africa since at least 2020.
- Goal is intelligence collection, specifically enabling espionage by gathering network telemetry and subscriber information.
- Uses compromised telecom servers to pivot and conduct intrusions into additional providers in other geographic regions, leveraging trust relationships between providers.
- Shifts in Chinese cyber operations indicate a maturation toward bulk data collection and targeting MSPs, ISPs, and supply chains (a "hack once, steal many" approach).
## Tactics, Techniques & Procedures
- **Network Knowledge:** Demonstrates deep knowledge of telecommunications networks and protocols (e.g., GSM protocols).
- **Initial Access:** Observed infiltrating external DNS (eDNS) servers using password spraying with extremely weak and third-party-focused passwords.
- **C2/Protocol Abuse:** Emulates Global System for Mobile Communications (GSM) protocols for Command-and-Control (C2).
- **Lateral Movement/Pivoting:** Uses compromised telecom servers to move laterally across regions and providers.
- **Data Retrieval:** Develops tooling specifically to retrieve mobile subscriber information, call metadata, and text messages (SMS).
- **Tool Usage:**
- **SIGTRANslator:** A Linux ELF binary designed to send and receive data using SIGTRAN protocols.
- **CordScan:** A network-scanning and packet-capture utility to fingerprint and retrieve data related to telecom protocols from infrastructure like the Serving GPRS Support Node (SGSN).
- **PingPong:** A backdoor that sets up a TCP reverse shell upon receiving a specific magic ICMP echo request packet.
- **TinyShell:** An open-source Unix backdoor, used in conjunction with network emulation.
- **SGSN Emulation:** Uses publicly available software like `sgsnemu` with TinyShell to tunnel C2 traffic through the telecommunications network.
## Targeting
- **Sectors:** Primarily telecommunications entities.
- **Geography:** Observed targeting telcos in South Asia and Africa, but infrastructure compromise allows for lateral movement across *other geographic regions*.
- **Victims:** Telecommunications providers (specific entities not named, implied to be global infrastructure providers).
## Tools & Infrastructure
- **Malware Families/Tools:** SIGTRANslator, CordScan, PingPong, TinyShell.
- **Infrastructure/Methodology:** Compromised telecom servers used for pivoting; C2 often tunnels via emulated GSM/SGSN protocols.
## Implications
- Liminal Panda represents a highly specialized, sophisticated Chinese-nexus actor focused on gaining deep access into the global telecommunications backbone for long-term intelligence collection.
- Their methodology highlights significant inherent risks in inter-provider trust relationships and the exploitation of protocol-level knowledge, posing a major risk to critical infrastructure security worldwide.
- The operations align with the broader strategic goals of the Chinese government, leveraging privatized vulnerability research.
## Mitigations
- Strictly enforce robust credential management, especially against default, weak, or reused passwords used for external-facing services like eDNS servers (mitigating password spraying attacks).
- Review and secure trust relationships and interconnection protocols between telecommunications providers to prevent abuse for lateral movement.
- Monitor for anomalous C2 traffic that mimics or abuses core mobile telecommunications protocols (GSM/SIGTRAN).
- Implement strong network segmentation to isolate core infrastructure components (like SGSN) from external-facing systems to limit the impact of initial compromises.