A newly identified Chinese cyber espionage group, dubbed Liminal Panda by CrowdStrike, has been conducting targeted attacks against telecommunications companies in South Asia and Africa since 2020.
Key Points:
– The group demonstrates sophisticated knowledge of telecommunications networks and protocols
– They utilize custom malware tools including:
* SIGTRANslator: For SIGTRAN protocol communications
* CordScan: Network scanning and telecom data retrieval
* PingPong: A backdoor using ICMP echo requests
Attack Methodology:
1. Initial access through password spraying of external DNS servers
2. Use of TinyShell backdoor and SGSN emulation for command and control
3. Exploitation of trust relationships between telecom providers
4. Collection of network telemetry and subscriber information
Context:
– This activity was previously misattributed to another group (LightBasin/UNC1945)
– Other Chinese groups, like Salt Typhoon, are simultaneously targeting U.S. telecom providers
– These attacks highlight the vulnerability of critical infrastructure to state-sponsored threats
The Chinese cyber offensive ecosystem involves collaboration between:
– Government agencies (MSS and MPS)
– Civilian actors
– Private entities