Hacking Telecom Networks

A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection.

Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers.

The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration.

"Liminal Panda has used compromised telecom servers to initiate intrusions into further providers in other geographic regions," the company's Counter Adversary Operations team said in a Tuesday analysis.

"The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata, and text messages (SMS)."

Cybersecurity

Adam Meyers, head of Counter Adversary Operations at CrowdStrike, told The Hacker News that 15 of the 63 China-based adversaries it monitors have targeted telecommunications entities in recent months.

"The adversary demonstrates extensive knowledge of telecommunications networks, including interconnections between providers and the protocols that support mobile telecommunications," Meyers said. "This problem is extremely widespread and affects providers globally. While CrowdStrike has observed Liminal Panda targeting telcos in Southeast Asia and Africa, compromised infrastructure enables them to move laterally between providers across regions."

It's worth noting that some aspects of the intrusion activity were documented by the cybersecurity company back in October 2021, attributing it then to a different threat cluster dubbed LightBasin (aka UNC1945), which also has a track record of targeting telecom entities since at least 2016.

CrowdStrike noted that its extensive review of the campaign revealed the presence of an entirely new threat actor, and that the misattribution three years ago was the result of multiple hacking crews conducting their malicious activities on what it said was a "highly contested compromised network."

Some of the custom tools in its arsenal are SIGTRANslator, CordScan, and PingPong, which come with the following capabilities -

  • SIGTRANslator, a Linux ELF binary designed to send and receive data using SIGTRAN protocols
  • CordScan, a network-scanning and packet-capture utility containing built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure such as the Serving GPRS Support Node (SGSN)
  • PingPong, a backdoor that listens for incoming magic ICMP echo requests and sets up a TCP reverse shell connection to an IP address and port specified within the packet

Liminal Panda attacks have been observed infiltrating external DNS (eDNS) servers using password spraying extremely weak and third-party-focused passwords, with the hacking crew using TinyShell in conjunction with a publicly available SGSN emulator called sgsnemu for C2 communications.

"TinyShell is an open-source Unix backdoor used by multiple adversaries," CrowdStrike said. "SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to tunnel traffic via this telecommunications network."

The end goal of these attacks is to collect network telemetry and subscriber information or to breach other telecommunications entities by taking advantage of the industry's interoperation connection requirements.

"Liminal Panda's known intrusion activity has typically abused trust relationships between telecommunications providers and gaps in security policies, allowing the adversary to access core infrastructure from external hosts," the company said.

The disclosure comes as U.S. telecom providers like AT&T, Verizon, T-Mobile, and Lumen Technologies have become the target of another China-nexus hacking group dubbed Salt Typhoon. If anything, these incidents serve to highlight how telecommunications and other critical infrastructure providers are vulnerable to compromise by state-sponsored attackers.

French cybersecurity company Sekoia has characterized the Chinese offensive cyber ecosystem as a joint enterprise that includes government-backed units such as the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), civilian actors, and private entities to whom the work of vulnerability research and toolset development is outsourced.

"China-nexus APTs are likely to be a mix of private and state actors cooperating to conduct operations, rather than strictly being associated with single units," it said, pointing out the challenges in attribution.

Cybersecurity

"It ranges from the conduct of operations, the sale of stolen information or initial access to compromised devices to providing services and tools to launch attacks. The relationships between these military, institutional, and civilian players are complementary and strengthened by the proximity of the individuals part of these different players and the CCP's policy."

Meyers said the company has not observed any evidence of coordination or shared resources between Salt Typhoon and Liminal Panda, but pointed out that China's cyber program has undergone a "significant maturation" since 2018, with the malicious campaigns transitioning from "smash-and-grab" operations to more sophisticated efforts.

"Their focus has shifted from isolated attacks to bulk data collection and longer-term targeting of Managed Service Providers (MSPs), Internet Service Providers (ISPs), platform providers, and executing supply chain attacks – embodying a 'hack once, steal many' mantra. Today, China-nexus actors have demonstrated cross-domain capabilities, targeting identity systems, cloud environments, and endpoints simultaneously to achieve their objectives."

Complementing these shifts is the reorganization of the People's Liberation Army (PLA) to MSS, which, as Sekoia said, has had the effect of causing a spike in malicious cyber activities attributed to the intelligence and security agency since 2021.

"The development of China's intelligence apparatus has become increasingly aligned with strategic national initiatives, such as Made in China 2025 and the Belt and Road Initiative," Meyers said.

"Additionally, under China's national security law, vulnerability research has been effectively privatized and crowdsourced. Any discoveries are funneled directly to the Chinese government, which retains the first right of refusal for weaponization. This process is highly opaque – while we can identify broad categories of vulnerabilities, the specific exploits and tools remain hidden."

(The story was updated after publication to include additional responses from CrowdStrike.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.