The Telecom Threat: Liminal Panda’s Covert Campaign Targets Southwest Asian Critical Infrastructure

In a revealing report by Palo Alto Networks’ Unit 42, a high-level cyberespionage campaign targeting critical telecommunications infrastructure in Southwest Asia has been exposed. Tracked as CL-STA-0969, the activity cluster demonstrates a level of stealth, sophistication, and adaptability—echoing the hallmarks of a nation-state adversary.

“With high confidence, we assess this activity is associated with a nation-state nexus… this cluster heavily overlaps with activity attributed to Liminal Panda,” Unit 42 confirmed.

The campaign, active between February and November 2024, has left cybersecurity experts rattled by the breadth of its infiltration. While no direct data exfiltration was observed, the attackers deployed covert tooling and maintained remote control capabilities, leaving backdoors for future operations.

Among the threat actor’s tactics:

• Brute-force attacks on telecom equipment-specific accounts
• DNS and SSH tunneling
• Log tampering and timestomping
• Masquerading malicious processes as kernel threads

Their operational security (OPSEC) was near-flawless. Logs were sanitized using legitimate tools like utmpdump and sed, and executables were masked with convincing names such as [kpqd] or httpd -D to blend into the system.

The report lays out a toolkit unlike anything seen in typical cybercrime, specifically engineered for the telecom environment:

• AuthDoor: A PAM backdoor with hard-coded passwords, allowing persistent access even after password changes.
• GTPDoor: A stealthy implant communicating over GPRS Tunneling Protocol (GTP-C) on UDP port 2123—bypassing traditional security measures.
• ChronosRAT: A modular backdoor with AES-encrypted communication and features like shell access, keylogging, and proxying.
• NoDepDNS: A Golang-based DNS tunneling backdoor using XOR-encrypted IP addresses to transmit commands.

“Their use of custom tools… suggests a deep understanding of the targeted infrastructure and an intent to evade standard security controls,” the report emphasized.

Another weapon, Cordscan, was designed to extract International Mobile Subscriber Identity (IMSI) data from Serving GPRS Support Nodes (SGSNs)—suggesting the campaign’s primary objective could be tracking mobile users’ locations.

The campaign relied heavily on privilege escalation exploits targeting outdated Linux kernels commonly found in telecom infrastructure:

• CVE-2016-5195 (DirtyCoW): Used to escalate privileges through a race condition.
• CVE-2021-4034 (PwnKit) and CVE-2021-3156 (Sudo Heap Overflow): Allowed attackers to gain root access on unpatched systems.

“These systems often run older operating systems… the threat actor exploited [them] to easily escalate to root privileges,” the researchers warned.

The threat actors also demonstrated advanced network manipulation capabilities, including:

• SGSN Emulator: Establishing tunnels over the GRX network using the GTP protocol.
• Microsocks & FRP: Pivoting and proxying traffic through internal telecom nodes.
• Responder & ProxyChains: Capturing credentials through WPAD spoofing and relaying traffic via obfuscated proxies.

Unit 42 concludes that CL-STA-0969 is one of the most technically advanced telecom intrusions observed to date. The group’s persistent, modular strategy—spanning custom malware, legitimate tools, and deep protocol knowledge—underscores a new era of targeted espionage.

“CL-STA-0969 demonstrates a deep understanding of telecommunications protocols and infrastructure… Organizations relying on legacy hosts… increase vulnerability to such attacks,” the report concluded.

Related Posts:

• LIMINAL PANDA – A Chinese State-Sponsored Espionage Targeting Telecoms
• EV Fast Chargers Vulnerable to Remote Hacking, Study Finds
• PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
• Panda Shop Smishing Syndicate: China-Backed Cybercrime-as-a-Service Hits Millions Globally
• China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign