Cyber intrusions affecting telecom providers previously attributed to the Chinese hacking group LightBasin (UNC1945) are now believed to come from another Chinese-sponsored group, according to CrowdStrike.
In a November 19 testimony in front of the US Senate Judiciary Subcommittee on Privacy, Technology, and the Law, Adam Meyers, CrowdStrike Senior Vice President of Counter Adversary Operations, revealed the existence of a previous-unknown Chinese cyber espionage group, Liminal Panda.
Active since at least 2020, Liminal Panda was likely behind some 2021 intrusion campaigns previously attributed to LightBasin, CrowdStrike said in a blog post.
Liminal Panda’s Victimology
Liminal Panda typically targets telecom providers operating in countries associated with China’s Belt and Road Initiative (BRI).
The BRI is a global infrastructure and economic development strategy launched in 2013 to enhance trade and connectivity by building transportation, energy and communication networks across Asia, Africa, Europe, and beyond. It aims to pursue Beijing’s prioritized interests outlined in China’s 13th and 14th Five-Year Plans.
The group targets these organizations to collect network telemetry and subscriber information directly or to breach other telecommunications entities by exploiting the industry’s inter-operational connection requirements.
The CrowdStrike researchers believe that the group’s motivations closely align with signals intelligence (SIGINT) collection operations for intelligence gathering instead of establishing access for financial gain.
Liminal Panda was likely responsible for multiple cyber intrusion campaigns in 2020 and 2021, mainly targeting telecommunications providers in southern Asia and Africa.
Other Chinese hacking groups, including Salt Typhoon, have recently been accused of targeting telecom providers in different regions, including Europe and North America.
Liminal Panda’s Attribution
While CrowdStrike assessed that Liminal Panda’s activity aligns with China-nexus cyber operations based on similarities in tooling and processes with other Chinese cyber espionage groups.
The firm noted that definitive attribution to a specific Chinese state-backed entity remains inconclusive due to the lack of direct evidence linking Liminal Panda to known government-affiliated organizations.
Some of the gathered evidence includes:
- Using a Pinyin string (wuxianpinggu507) for SIGTRANslator’s XOR key and the password for some of Liminal Panda’s remote proxy services
- Using the domain name wuxiapingg[.]ga as delivery infrastructure and C2 for Cobalt Strike, a commercially available remote access tool (RAT) that China-nexus actors frequently use
- Using Fast Reverse Proxy and the publicly available TinyShell backdoor, both of which have also been used by multiple Chinese adversaries, including Sunrise Panda and Horde Panda
- Using virtual private server (VPS) infrastructure supplied by Vultr, a provider commonly used by China-nexus adversaries and actors
Liminal Panda’s Techniques, Tactics and Procedures
Liminal Panda uses various tools that enable covert access, command and control (C2) and data exfiltration.
The group demonstrates extensive knowledge of telecom networks, including understanding interconnections between providers and the protocols that support mobile telecommunications.
It emulates global system for mobile communications (GSM) protocols to enable C2 and develop tooling to retrieve mobile subscriber information, call metadata and text messages.
Liminal Panda’s typical intrusion activity starts by abusing trust relationships between telecommunications providers and security policy gaps to gain access to core infrastructure from external hosts.
The group also employs a combination of custom malware, publicly available tools and proxy software to route C2 communications through different network segments.
CrowdStrike’s Mitigation Recommendations
In its blog post, CrowdStrike provided a list of recommendations to help protect against Liminal Panda’s activity based on some of the group’s uncovered TTPs. These include:
- Implementing complex password strategies for SSH authentication or employing more secure methods such as SSH key authentication, particularly on servers that accept connections from external organizations (e.g. eDNS servers)
- Minimizing the number of publicly accessible services operating on servers that accept connections from external organizations to those required for organizational interoperation
- Enforcing internal network access control policies for servers according to role and requirement
- Logging SSH connections between internal servers and monitoring them for anomalous activity
- Verifying iptables rules implemented on servers, checking for the presence of abnormal entries that enable inbound access from unknown external IP addresses
- Employing file integrity checking mechanisms on critical system service binaries such as iptables to identify if they are unexpectedly modified or replaced