A new China-linked cyber espionage group dubbed ‘Liminal Panda’, has been linked to a series of sophisticated cyberattacks targeting telecommunications entities in South Asia and Africa. Active since at least 2020, the adversary’s goal is believed to be intelligence collection, according to an in-depth analysis by cybersecurity firm CrowdStrike.
Liminal Panda has extensive knowledge of telecommunications networks, including interconnection protocols and infrastructure that enable communication between providers.
Threat actor’s activities involve emulating global system for mobile communications (GSM) protocols, allowing for command-and-control (C2) operations and enabling access to sensitive subscriber data such as call metadata, mobile subscriber information, and SMS messages.
The group employs a suite of custom tools designed to maintain stealth, control infected systems, and exfiltrate data. The group’s malware arsenal includes a Linux ELF binary leveraging SIGTRAN protocols for data transmission named SIGTRANslator, a network scanner and packet capture utility CordScan, and the PingPong backdoor that a TCP reverse shell.
Liminal Panda’s operations include targeted intrusion techniques, such as password spraying attacks against external DNS (eDNS) servers, often leveraging weak or third-party credentials. The ultimate objectives are to collect network telemetry and subscriber data or infiltrate additional telecommunications networks through interconnected systems.
CrowdStrike said that some of the group's activities were initially attributed to another threat cluster, LightBasin (UNC1945), which has targeted telecom entities since 2016. However, a reevaluation revealed the presence of a separate adversary now tracked as Liminal Panda operating within the compromised networks.