LIMINAL PANDA – A Chinese State-Sponsored Espionage Targeting Telecoms

CrowdStrike has revealed a new China-nexus state-sponsored adversary tracked as LIMINAL PANDA, which has been systematically targeting telecommunications providers since at least 2020. This revelation comes ahead of Adam Meyers, CrowdStrike Senior Vice President of Counter Adversary Operations, testifying before the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law about Chinese cyber threats to critical infrastructure.

LIMINAL PANDA stands out for its deep understanding of telecommunications networks and its use of custom tools designed for covert access, command and control (C2), and data exfiltration. “The adversary demonstrates extensive knowledge of telecom networks, including understanding interconnections between providers,” the report states. “LIMINAL PANDA has used compromised telecom servers to initiate intrusions into further providers in other geographic regions.”

This group employs tactics specifically tailored to exploit the unique characteristics of telecom infrastructure. They’ve been observed emulating GSM protocols to establish C2 channels and have developed tools to siphon off sensitive data, including mobile subscriber information, call metadata, and text messages.

CrowdStrike assesses with high confidence that LIMINAL PANDA is engaged in targeted intrusion activity to support intelligence collection. This assessment is based on “the adversary’s identified target profile, likely mission objectives and observed tactics, techniques and procedures (TTPs) — all of which suggest long-term clandestine access requirements.”

LIMINAL PANDA utilizes a mix of custom malware, publicly available tools, and proxy software to obfuscate their operations and maintain persistence within target networks. Some of the custom malware used by LIMINAL PANDA include:

• PingPong: A custom backdoor.
• SLAPSTICK: A custom proxy tool.
• CordScan: A custom tool used for network reconnaissance.
• SIGTRANslator: A custom tool used to manipulate signaling protocols within telecom networks.

While attribution is complex, CrowdStrike assesses with low confidence that LIMINAL PANDA’s activities align with China-nexus cyber operations. This assessment is based on several factors, including:

• Targeting organizations operating in countries associated with China’s Belt and Road Initiative (BRI).
• The use of Pinyin strings within malware and infrastructure.
• Overlap with tools and infrastructure used by other known Chinese adversaries.

The revelation of LIMINAL PANDA’s activities underscores the growing threat to telecommunications infrastructure from sophisticated state-sponsored actors. As our reliance on telecom networks increases, so too does the potential impact of these attacks.

CrowdStrike urges telecommunications providers and other organizations to remain vigilant and take proactive steps to defend against this evolving threat. This includes implementing robust security controls, monitoring network activity for suspicious behavior, and staying informed about the latest TTPs employed by adversaries like LIMINAL PANDA.

Related Posts:

• PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
• Chinese Cyberspies Breach Asian Telecoms in Long-Running Espionage Campaign
• British Telecom and Europol reach an agreement to build cyber threat intelligence in the future
• China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign