Cyber security news for all

More

    China-Backed Hackers Exploit Telecom Protocols to Spy on Networks in South Asia and Africa

    A cyber espionage group with ties to China, dubbed Liminal Panda, has been linked to a series of attacks on telecommunications networks in South Asia and Africa since 2020. These operations aim to gather intelligence through sophisticated exploitation of telecom infrastructure.

    According to cybersecurity firm CrowdStrike, the group exhibits exceptional expertise in telecommunications systems, including the underlying GSM and SIGTRAN protocols, as well as the intricate connections between network providers.

    A Toolkit for Covert Operations

    The Liminal Panda arsenal features custom-built malware designed for stealthy network access, command-and-control (C2) communication, and data theft. Notable tools include:

    • SIGTRANslator: A Linux-based tool for sending and receiving data over SIGTRAN protocols.
    • CordScan: A utility for network scanning and packet capture, with capabilities to analyze data from telecommunication infrastructure like Serving GPRS Support Nodes (SGSNs).
    • PingPong: A backdoor triggered by specific ICMP echo requests, establishing reverse shell connections for deeper system compromise.

    Exploiting Weak Security Practices

    The group infiltrates telecom systems by targeting external DNS (eDNS) servers using password-spraying attacks with weak or third-party credentials. Their C2 communications leverage tools like TinyShell, an open-source Unix backdoor, and sgsnemu, an SGSN emulator used to tunnel traffic through compromised telecommunications networks.

    By exploiting security gaps and interoperation dependencies within the telecom industry, Liminal Panda collects subscriber data, call metadata, SMS messages, and network telemetry. These intrusions also enable lateral movement into other telecom networks.

    A History of Misattribution

    Some of these activities were previously attributed to a different group, LightBasin (UNC1945), known for targeting telecom providers since 2016. However, further analysis revealed Liminal Panda as a distinct entity, underscoring the complexity of tracking threats within heavily compromised networks.

    Broader Implications and Emerging Threats

    The revelation coincides with reports of another China-affiliated group, Salt Typhoon, targeting U.S. telecom providers like AT&T, Verizon, T-Mobile, and Lumen Technologies. Together, these incidents highlight the vulnerability of critical infrastructure to state-sponsored cyberattacks.

    French cybersecurity firm Sekoia characterizes China’s offensive cyber ecosystem as a collaborative network blending government agencies, civilian researchers, and private entities. This decentralized approach complicates attribution, with players often outsourcing tasks like vulnerability research and tool development to private actors.

    “China-nexus APTs involve a blend of private and state actors, cooperating in operations ranging from espionage to selling stolen data and launching attacks,” Sekoia stated. “The intertwined relationships between these actors reflect a strategic alignment driven by the Chinese Communist Party’s policies.”

    The Need for Heightened Security

    These revelations underscore the urgent need for telecom providers to bolster security measures, especially around trust relationships and inter-provider connections. As adversaries like Liminal Panda and Salt Typhoon continue to evolve, safeguarding critical infrastructure has never been more critical.

    Recent Articles

    Related Stories