Analysis Summary

Since at least 2020, a new cyber espionage organization with ties to China has been implicated in several targeted cyberattacks against telecommunications companies in South Asia and Africa to facilitate intelligence gathering.

The threat group, known as Liminal Panda, is being tracked by researchers who say that it has extensive knowledge of telecommunications networks, the protocols that support them, and the different linkages between providers. Custom tools that enable data exfiltration, command-and-control (C2), and clandestine access are part of the threat actor's malware arsenal.

Liminal Panda has launched intrusions into further providers in various geographical areas using compromised telecom servers. To facilitate C2, the adversary uses protocols that facilitate mobile telecommunications, such as simulating global systems for mobile communications (GSM) protocols and creating tools to retrieve text messages (SMS), call metadata, and mobile subscriber information.

It is important to note that the researchers reported some of the intrusion activities in October 2021 and linked it to a distinct threat cluster called LightBasin (also known as UNC1945), which has also been targeting telecom companies since at least 2016. Cybersecurity experts stated that the misattribution three years ago was caused by several hacking teams carrying out their malevolent actions on a highly contested hacked network and that their thorough analysis of the campaign exposed the existence of a completely new threat actor. SIGTRANslator, CordScan, and PingPong are a few of its unique tools, and they have the following features:

• A Linux ELF binary called SIGTRANslator is made to transmit and receive data over SIGTRAN protocols.
• PingPong is a backdoor that watches for incoming magic ICMP echo requests and establishes a TCP reverse shell connection to an IP address and port specified within the packet.
• CordScan is a network-scanning and packet-capture tool with built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure like the Serving GPRS Support Node (SGSN).

Liminal Panda attacks have been seen utilizing TinyShell in combination with a publicly available SGSN emulator called sgsnemu for C2 communications to breach external DNS (eDNS) servers by password spraying incredibly weak and third-party-focused passwords. Several enemies employ the open-source Unix backdoor known as TinyShell. In essence, SGSNs are GPRS network access points, and the adversary can tunnel traffic across this telecommunications network thanks to the emulation software.

These attacks ultimately aim to obtain subscriber and network telemetry data or compromise other telecommunications organizations by exploiting the industry's interoperability connection requirements. The known intrusion activity of Liminal Panda has generally exploited security policy flaws and trust ties between telecom providers to gain access to critical infrastructure from outside sites.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Unauthorized Access
• Data Exfiltration

Remediation

• Conduct regular, comprehensive cybersecurity training programs for employees, focusing on spear-phishing recognition and avoidance. Simulate phishing attacks to test awareness and response.
• Enforce multi-factor authentication (MFA) for all critical systems, including email, source code repositories, and proprietary software, to reduce the risk of unauthorized access.
• Apply the principle of least privilege, ensuring that only authorized personnel have access to sensitive software and source code. Regularly review and audit access control policies.
• Use advanced email filtering systems that detect and block phishing attempts, especially those involving domain spoofing and impersonation tactics.
• Employ continuous network monitoring tools to detect unauthorized access or unusual activity. Regularly audit system logs for any indicators of compromise (IOCs) or anomalous behavior.
• Deploy EDR solutions to detect and respond to malicious activity on endpoints, particularly those involving attempts to exfiltrate sensitive data.
• Ensure timely patching of software vulnerabilities in operating systems, email servers, and security tools to reduce the risk of exploitation by cybercriminals.
• Establish protocols for quickly reporting cyber incidents to relevant authorities, like the FBI or other national agencies, to assist with tracking and mitigating cybercriminal activities.
• Perform periodic penetration testing and vulnerability assessments to identify and address weaknesses in the security infrastructure.
• Leverage real-time threat intelligence feeds to stay informed about new phishing campaigns and tactics targeting industries like aerospace and defense.