Full Report
Between late June 2023 and early August 2023, CrowdStrike detected suspicious activity at a South Asian telecommunications provider linked to the China-based threat group Horde Panda. The adversary used multiple compromised identities to try to embed themselves deeper into the...
Analysis Summary
# Threat Actor: Horde Panda
## Attribution & Identity
* **Actor Name:** Horde Panda
* **Origin:** China-based
* **Aliases/Associations:** Known as a China-nexus threat actor (similar activities often associated with groups like APT41 or Mustang Panda, though "Horde Panda" is the specific CrowdStrike designation).
* **Motivation:** Primarily cyber espionage and data theft.
## Activity Summary
Between late June 2023 and early August 2023, Horde Panda engaged in a sustained campaign targeting a telecommunications provider in South Asia. The operation was characterized by the use of compromised legitimate identities to facilitate lateral movement and persistence. The adversary focused on embedding themselves within the target's internal infrastructure to likely monitor communications or exfiltrate sensitive subscriber data.
## Tactics, Techniques & Procedures
* **Valid Accounts:** Use of multiple compromised identities to bypass initial security perimeters and move laterally.
* **Persistence:** Embedding deep within the network to maintain long-term access.
* **Living off the Land (LotL):** Use of native system tools to avoid detection by traditional antivirus solutions.
* **Credential Access:** Likely harvesting further credentials once internal access was established.
*(Note: Specific MITRE ATT&CK IDs were not provided in the snippet, but the following are applicable based on the description)*
* **T1078 (Valid Accounts)**
* **T1021 (Remote Services)**
## Targeting
* **Sectors:** Telecommunications.
* **Geography:** South Asia.
* **Victims:** A specific unidentified South Asian telecommunications provider.
## Tools & Infrastructure
* **Malware:** The group is known for utilizing custom backdoors and public tools tailored for the telecommunications stack.
* **Infrastructure:**
* **C2:** Historically utilizes hijacked domestic infrastructure or popular cloud services to blend in with legitimate traffic.
* **Defanged Examples:** (No specific IPs/URLs provided in the text snippet; general Panda-nexus infrastructure often involves `hxxps[:]//` or `127[.]0[.]0[.]1` style indicators).
## Implications
The targeting of telecommunications providers by a China-nexus actor suggests a strategic objective of intelligence collection. By compromising a "telco," the actor gains the potential to intercept SMS, call metadata, and data sessions, providing a platform for downstream surveillance of government officials, dissidents, or commercial competitors.
## Mitigations
* **Identity Security:** Implement Multi-Factor Authentication (MFA) across all remote access points to negate the use of compromised credentials.
* **Privileged Access Management (PAM):** Restrict and monitor the use of administrative accounts, particularly those used for lateral movement.
* **Network Segmentation:** Isolate critical telecommunications infrastructure (such as the core network and billing systems) from general corporate IT environments.
* **Behavioral Monitoring:** Deploy Endpoint Detection and Response (EDR) to identify anomalous "Living off the Land" activity performed by legitimate user accounts.