The recent revelation of a new Chinese cyber espionage group, Liminal Panda, marks a significant concern for telecommunications firms associated with China’s Belt and Road Initiative (BRI). CrowdStrike, a renowned cybersecurity firm, identified this previously unknown entity and highlighted its threat to companies linked to China’s ambitious global infrastructure project. Launched in 2013, the BRI aims to bolster trade and connectivity by developing vast networks across Asia, Africa, Europe, and beyond. Liminal Panda’s activities come at a time when global digital security is paramount, and their focus on telecom sectors underscores critical vulnerabilities within these integral systems.
Liminal Panda’s Recent Emergence and Operations
According to CrowdStrike, Liminal Panda has been active since at least 2020, with cyber intrusions initially attributed to another Chinese hacking group, LightBasin (UNC1945). During an insightful testimony on November 19 before the US Senate Judiciary Subcommittee on Privacy, Technology, and the Law, Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, unveiled key details about this group’s operations. Evidence suggests that Liminal Panda orchestrated several cyber intrusion campaigns targeting telecommunication providers in 2020 and 2021, with a primary focus on regions in southern Asia and Africa that are central to the BRI’s objectives.
The telecommunication firms targeted by Liminal Panda include those operating in countries associated with China’s BRI. The BRI’s mission is to enhance global trade and connectivity through the extensive development of transportation, energy, and communication networks. As a pivotal part of China’s prioritized interests within its 13th and 14th Five-Year Plans, these regions’ telecom providers play a crucial role in the strategy’s success. Liminal Panda’s unauthorized access to these systems has raised significant concerns about the security and resilience of this critical infrastructure against sophisticated cyber threats.
Objectives and Methodology
Liminal Panda’s primary objectives revolve around gathering intelligence through the collection of network telemetry and subscriber information, rather than seeking financial gain. This activity aligns closely with signals intelligence (SIGINT) collection operations. Their approach involves exploiting the inter-operational connection requirements of telecommunications firms to breach core infrastructure. By manipulating trust relationships and identifying security policy gaps, the group demonstrates extensive technical knowledge of telecom networks and the protocols that support mobile telecommunications. Their proficiency at navigating and exploiting these systems signifies a sophisticated and well-resourced endeavor likely tied to larger geopolitical goals.
Utilizing a diverse toolkit, Liminal Panda relies on both custom malware and publicly available tools to conduct their cyber operations. Command and control (C2) mechanisms are crucial for enabling covert access and data exfiltration. Notable examples of the group’s tools include Fast Reverse Proxy and TinyShell backdoor, which were previously utilized by other Chinese adversaries like Sunrise Panda and Horde Panda. Cobalt Strike, a commercially available remote access tool popular among China-nexus actors, is another key component, along with virtual private server (VPS) infrastructures provided by Vultr. The consistent use of these tools and infrastructures reflects a pattern common among Chinese cyber threats.
Tools and Techniques
CrowdStrike’s analysis sheds light on Liminal Panda’s use of specific techniques that strongly suggest a China-nexus cyber operation. These include employing Pinyin strings in code, utilizing domain names for delivery infrastructure, and exploiting GSM protocols to emulate C2 processes for data extraction. Additionally, the group’s reliance on VPS infrastructure from Vultr, known to be frequently used by Chinese adversaries, and the employment of C2 and malware tools further bolster the attribution to a China-related entity. However, despite these strong inferences, definitive attribution to a specific Chinese state-backed organization remains elusive, with a significant lack of direct evidence linking Liminal Panda to known government-affiliated bodies.
The impact of Liminal Panda’s intrusion activities reveals inherent vulnerabilities within the telecommunications sector, particularly firms integral to the BRI. Beyond the immediate effects of unauthorized access to core systems, these cyber operations also have broader geopolitical implications. The stolen data could be leveraged to further China’s strategic interests on a global scale. Such a scenario emphasizes the intricate and far-reaching consequences of cyber espionage in the modern digital age, where state-sponsored actors relentlessly pursue critical data to gain an upper hand in global technological and economic arenas.
The Spotlight on Other Chinese Hacking Groups
Liminal Panda is one example within the extensive landscape of Chinese cyber espionage activities. Other prominent groups, such as Salt Typhoon, have also been implicated in targeting telecom providers across various regions, including Europe and North America. This recurring pattern of persistent cyber threats underscores the extensive reach and coordination of state-sponsored actors in China, consistently aiming at vulnerable sectors within critical infrastructure worldwide. The actions of these groups reflect a broader strategy to undermine the security and stability of global communications networks, raising alarms within the international cybersecurity community.
Mitigation and Recommendations
Given the significant threat posed by Liminal Panda, CrowdStrike has issued several mitigation recommendations for telecommunications providers. These include adopting complex password strategies and more secure authentication methods for SSH, reducing the number of publicly accessible services on servers, enforcing stringent internal network access control policies, and actively monitoring SSH connections for anomalies. Verifying iptables rules to check for abnormal entries and employing file integrity checking mechanisms to detect unexpected modifications of critical system binaries are also vital measures in strengthening defenses against such sophisticated cyber threats.
Conclusion
The recent discovery of a new Chinese cyber espionage group called Liminal Panda raises significant concerns for telecommunications firms connected to the Belt and Road Initiative (BRI). CrowdStrike, a leading cybersecurity company, identified this previously unknown group and emphasized their threat to companies involved in China’s extensive global infrastructure plan. Initiated in 2013, the BRI aims to enhance trade and connectivity by establishing widespread networks across Asia, Africa, Europe, and beyond. The activities of Liminal Panda surface at a time when global digital security is critical, and their emphasis on the telecom sector reveals significant vulnerabilities within these essential systems. As telecommunications form the backbone of modern connectivity, any compromise in this sector can have widespread repercussions, affecting not just targeted companies but also numerous connected entities worldwide. This discovery underlines the ever-growing importance of robust cybersecurity measures to safeguard integral infrastructure from emerging threats.