A new CrowdStrike report has detailed adversarial attacks by LIMINAL PANDA hackers highlighting China’s ongoing cyber threats to the telecom sector. Active since at least 2020, LIMINAL PANDA has targeted telecom companies with custom tools for stealthy access, command and control, and data theft. The group shows deep expertise in telecom networks, including provider interconnections. They have exploited compromised telecom servers to launch attacks on additional providers across different regions, and are highly likely engaged in targeted intrusion activity to support intelligence collection. 
“This assessment is made with high confidence based on the adversary’s identified target profile, likely mission objectives, and observed tactics, techniques and procedures (TTPs) — all of which suggest long-term clandestine access requirements,” CrowdStrike said in a Tuesday blog post. “The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata, and text messages (SMS).”
Also on Tuesday, Adam Meyers, senior vice president of Counter Adversary Operations at CrowdStrike, testified before the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law regarding Chinese cyber threats to critical infrastructure. During his testimony, Adam will publicly disclose, for the first time, information about a China-linked state-sponsored actor known as LIMINAL PANDA, which is actively monitored by CrowdStrike’s Counter Adversary Operations.
CrowdStrike’s announcement coincides with a Wall Street Journal report revealing that T-Mobile’s network was one of the systems compromised in a significant Chinese cyber espionage operation. This operation infiltrated multiple U.S. and international telecommunications companies, according to sources familiar with the situation. 
Previous reports indicated that Verizon Communications, AT&T, and Lumen Technologies were also among the telecom companies breached by the Salt Typhoon hacks, carried out by state-sponsored hackers from the People’s Republic of China (PRC). These hackers targeted U.S. telecommunications companies, including internet service providers, raising concerns about federal response implications.
Meyers noted in his testimony that advanced adversaries such as LIMINAL PANDA demonstrate extensive knowledge of telecommunications networks, including understanding interconnections between providers and the protocols that support mobile telecommunications. 
“Recently, this adversary compromised these networks by exploiting trust relationships between telecommunications organizations and poor security configurations, allowing them to create footholds to install multiple redundant routes of access across the affected organizations,” he added. 
Meyers further pointed out that the adversary ultimately emulated the global system for mobile communications (GSM) protocols to enable Command and Control (C2) and developed tooling to retrieve mobile subscriber information, call metadata, and text messages, and facilitate data exfiltration. Also, actions on objectives indicated additional adversary aims of surveilling targeted individuals by gathering metadata about their cellular devices.
CrowdStrike Intelligence assesses LIMINAL PANDA’s activity aligns with China-nexus cyber operations. The company’s assessment is made with low confidence based on factors, which do not strongly indicate attribution on their own due to their non-exclusive nature. These include targeting organizations operating in countries associated with China’s Belt and Road Initiative (BRI), a national-level strategy seeking to establish economic opportunities aligned with Beijing’s prioritized interests outlined in China’s 13th and 14th Five-Year Plans. 
Also, CrowdStrike zeroes in on the use of a Pinyin string (wuxianpinggu507) for SIGTRANslator’s XOR key and the password for some of LIMINAL PANDA’s remote proxy services. “This Pinyin text translates to ‘wireless evaluation 507’ or ‘unlimited evaluation 507.’ ‘Wireless evaluation’ is likely the correct translation, given that the malware is used to target telecommunications systems. This term is also similar to the domain wuxiapingg[dot]ga, which was previously hosted on a LIMINAL PANDA-associated IP address.” 
The post added that several other domain names that overlap with LIMINAL PANDA’s infrastructure also used Pinyin representations of Mandarin terms, further suggesting actors associated with the group’s infrastructure likely speak Chinese. It also pointed to using the domain name wuxiapingg[dot]ga as delivery infrastructure and C2 for Cobalt Strike, a commercially available remote access tool (RAT) that China-nexus actors frequently use.
Also, the use of Fast Reverse Proxy and the publicly available TinyShell backdoor, both of which have also been used by multiple Chinese adversaries, including SUNRISE PANDA and HORDE PANDA. Lastly, using VPS infrastructure supplied by Vultr, a provider commonly, albeit not exclusively, used by China-nexus adversaries and hackers.
The LIMINAL PANDA adversary targets telecom providers with various tools enabling covert access, C2, and data exfiltration. In 2020 and 2021, LIMINAL PANDA likely targeted multiple telecommunications providers, using access to these entities to compromise organizations. CrowdStrike said that the adversary demonstrates extensive knowledge of telecom networks, including understanding interconnections between providers and the protocols that support mobile telecommunications. LIMINAL PANDA emulates global system for mobile communications (GSM) protocols to enable C2 and develop tooling to retrieve mobile subscriber information, call metadata, and text messages.
LIMINAL PANDA employs a combination of custom malware, publicly available tools, and proxy software to route C2 communications through different network segments. Also, these hackers conduct intrusion activity that poses a significant potential threat to telecommunications entities. The adversary targets these organizations to directly collect network telemetry and subscriber information or to breach other telecommunications entities by exploiting the industry’s inter-operational connection requirements. 
“LIMINAL PANDA’s likely operational motivations — indicated by their development and deployment of tooling specific to telecommunications technology — closely align with signals intelligence (SIGINT) collection operations for intelligence gathering, as opposed to establishing access for financial gain,” the post added. “LIMINAL PANDA has previously focused on telecommunications providers in southern Asia and Africa, suggesting that their final targets likely reside in these regions; however, individuals roaming in these areas may also be targeted depending on the compromised network’s configuration and LIMINAL PANDA’s current access. Equally, depending on their current collection requirements, the adversary could employ similar TTPs to target telecoms in other regions.”
Tom Wheeler, former chairman of the Federal Communications Commission (FCC) and Visiting Fellow for Governance Studies at The Brookings Institution’s Center for Technology Innovation identified in an article that the FCC’s minimal cybersecurity reporting obligations are constrained to cyber incidents that lead to outages, with no reporting requirements for compromises to confidentiality or network integrity. “Amazingly, through its detailed reporting requirements on cyber issues, the Securities and Exchange Commission (SEC) has more information on cyber shortfalls than the regulator charged with protecting America’s networks,” he added. 
Earlier this month, the U.S. House Committee on Homeland Security published a new ‘Cyber Threat Snapshot’ examining growing threats posed by malign nation-states and criminal networks to the homeland and American data. Identifying some of the recent notable attacks, the report zeroed in on the Salt Typhoon attack by Chinese hackers, who reportedly infiltrated backdoors in major U.S. internet service providers; and activities by the Volt Typhoon adversaries, who compromised U.S. critical infrastructure for at least five years, targeting the transportation, telecommunications, and energy sectors.
All rights reserved | Terms and Conditions
Privacy Policy | Cookie Policy

source