Chinese-Sponsored Hacking Group Liminal Panda Targets Telecom Providers
Summary:
CrowdStrike has identified a previously unknown Chinese cyber espionage group, Liminal Panda, which has been active since at least 2020 and is believed to be behind cyber intrusions targeting telecom providers. These intrusions were previously attributed to the Chinese hacking group LightBasin (UNC1945). Liminal Panda’s primary targets are telecom companies in countries associated with China’s Belt and Road Initiative (BRI), and their activities align with signals intelligence (SIGINT) gathering operations. The group has used a variety of tools, including custom malware and publicly available backdoors, to exploit vulnerabilities in telecom infrastructure. CrowdStrike has provided several mitigation strategies to help defend against Liminal Panda’s tactics.
Security Officer Comments:
Liminal Panda's intrusion campaigns seem to be part of a broader Chinese strategy to monitor and exploit telecom providers, particularly in regions where China’s geopolitical interests are focused. Their operations appear sophisticated, targeting not just specific companies but entire networks, often exploiting industry-specific trust relationships and interconnections. This group's activities demonstrate a high level of technical expertise in telecommunications, further indicating its likely ties to state-sponsored operations. While the group’s direct link to the Chinese government remains inconclusive, the patterns, tools, and targets suggest a strong China nexus, with potential geopolitical motivations rather than financial gain.
Suggested Corrections:
CrowdStrike recommends several key security measures to mitigate risks posed by Liminal Panda:
- SSH Authentication: Enforce complex password strategies or use SSH key authentication, particularly for servers that accept connections from external organizations (e.g., eDNS servers).
- Limit Public Access: Minimize the number of publicly accessible services operating on servers, ensuring that only those necessary for interoperation are exposed.
- Access Control Policies: Implement strict internal network access control policies based on the roles and needs of servers.
- SSH Logging and Monitoring: Log SSH connections between internal servers and monitor for anomalous activity.
- Verify Firewall Rules: Regularly verify iptables rules on servers and check for unexpected inbound access from external IP addresses.
- File Integrity Monitoring: Implement file integrity checking mechanisms on critical system service binaries, like iptables, to detect unexpected changes or replacements.
Link(s):
https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/
https://www.infosecurity-magazine.com/news/chinese-apt-targets-telecoms-bri/