A new cyberespionage group linked to China has been blamed for a series of targeted cyberattacks targeting telecommunications organizations in South Asia and Africa since at least 2020 to ensure intelligence gathering.
Cybersecurity company CrowdStrike tracks the adversary by name Liminal pandadescribing him as having an in-depth knowledge of telecommunications networks, the protocols that support telecommunications, and the various interconnections between providers.
A threat actor’s malware portfolio includes specialized tools that facilitate covert access, command and control (C2), and data extortion.
“Liminal Panda used compromised telecommunications servers to initiate intrusions into other ISPs in other geographic regions,” the company’s anti-adversary team said. said in Tuesday’s analysis.
“An adversary carries out elements of its intrusion activity using mobile-enabled protocols, such as emulating Global System for Mobile Communications (GSM) protocols to enable C2 and developing tools to extract mobile subscriber information, call metadata, and text message (SMS) .”
It should be noted that some aspects of the invasion were documented by a cybersecurity company back in October 2021, attributing it to another threat cluster called LightBasin (aka UNC1945), which also has a track record of attacking telecom organizations since at least 2016.
CrowdStrike noted that their company-wide review revealed the presence of an entirely new threat actor, and that the misattribution three years ago was the result of multiple hacker groups conducting their malicious activities on what it called a “highly contested compromised network.”
Some of the custom tools in its arsenal are SIGTRANslator, CordScan and PingPong which have the following capabilities –
- SIGTRANslator, a Linux ELF binary, is designed to send and receive data using SIGTRAN protocols
- CordScan, a network scanning and packet capture utility that contains embedded logic for fingerprinting and extracting data related to common telecommunications protocols from infrastructure such as the GPRS Support Node (SGSN)
- PingPong, a backdoor that listens for incoming ICMP magic echo requests and establishes a TCP reverse connection to the IP address and port specified in the packet
Limited Panda attacks have been observed to penetrate external DNS servers (eDNS) using extremely weak and third-party-targeted password spraying, with the hacking group using TinyShell in conjunction with a publicly available SGSN emulator called I don’t know for connection C2.
“TinyShell is an open source Unix backdoor used by multiple adversaries,” CrowdStrike said. “SGSNs are essentially access points to the GPRS network, and emulation software allows an adversary to tunnel traffic through this telecommunications network.”
The ultimate goal of these attacks is to collect network telemetry and subscriber information or hack other telecommunications facilities by taking advantage of industry requirements for connection interoperability.
“Known LIMINAL PANDA intrusions typically exploit trust relationships between telecommunications providers and gaps in security policies, allowing an adversary to gain access to core infrastructure from external nodes,” the company said.
The disclosure comes as US telecommunications providers such as AT&T, Verizon, T-Mobile and Lumen Technologies have been targeted by another hacking group called China-nexus Salt typhoon. If anything, these incidents show how vulnerable telecommunications and other critical infrastructure providers are to state-sponsored attackers.
French cybersecurity firm Sekoia has described China’s offensive cyber ecosystem as a collaborative enterprise involving government-backed units such as the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), civilian actors and private organizations tasked with investigating vulnerabilities and tool development is outsourced.
“China-linked APTs are likely to be a mix of private and public actors cooperating to conduct operations, rather than strictly linked to a single unit,” it said. saidpointing to problems in attribution.
“This ranges from conducting operations, selling stolen information or initial access to compromised devices to providing services and tools to carry out attacks. The relationship between these military, institutional, and civilian players complements each other and is strengthened by the closeness of individual parts of these different players and CCP policies.”
