A new China-linked cyber espionage group, dubbed Liminal Panda, has been attributed to a series of targeted cyber attacks against telecommunications entities in South Asia and Africa since 2020. The group’s goal is to enable intelligence collection by exploiting vulnerabilities in industry interoperation connections.
Liminal Panda’s malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration. The group uses compromised telecom servers to initiate intrusions into other providers, often using protocols that support mobile telecommunications such as GSM.
In October 2021, a similar threat cluster dubbed LightBasin was attributed to the same attacks, but CrowdStrike’s extensive review revealed an entirely new threat actor. The misattribution was due to multiple hacking crews conducting malicious activities on a “highly contested compromised network.”
Liminal Panda’s custom tools include SIGTRANslator, CordScan, and PingPong, which enable data transmission using SIGTRAN protocols, network scanning, and packet capture. The group also uses password spraying and TinyShell to infiltrate external DNS servers.
The end goal of Liminal Panda’s attacks is to collect network telemetry and subscriber information or breach other telecommunications entities by exploiting trust relationships between providers. This highlights the vulnerability of critical infrastructure providers to state-sponsored attackers.
Other China-nexus hacking groups, such as Salt Typhoon, have also targeted US telecom providers. French cybersecurity company Sekoia notes that Chinese offensive cyber ecosystems involve government-backed units, civilian actors, and private entities cooperating to conduct operations. The relationships between these players are complementary and strengthened by the proximity of individuals involved.
Source: https://thehackernews.com/2024/11/china-backed-hackers-leverage-sigtran.html