CrowdStrike Discusses New China-Nexus Adversary LIMINAL PANDA

0

CrowdStrike’s senior vice president of counter-adversary operations has told a US Senate Judiciary Subcommittee about a China-nexus state-sponsored actor that CrowdStrike Counter-Adversary Operations tracks as LIMINAL PANDA.

Adam Meyers testified before the Senate Judiciary Subcommittee on Privacy, Technology, and the Law about Chinese cyber threats to critical infrastructure. It will be the first public discussion of LIMINAL PANDA.

Since 2020, LIMINAL PANDA has targeted telecommunications entities using custom tools that enable covert access, command and control, and data exfiltration. The adversary demonstrates extensive knowledge of telecommunications networks, including understanding interconnections between providers. LIMINAL PANDA has used compromised telecom servers to initiate intrusions into further providers in other geographic regions.

The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications protocols to enable command and control, and developing tooling to retrieve mobile subscriber information, call metadata and text messages.

LIMINAL PANDA highly likely engages in targeted intrusion activity to support intelligence collection. This assessment is made with high confidence based on the adversary’s identified target profile, likely mission objectives and observed tactics, techniques and procedures, all of which suggest long-term clandestine access requirements.

Tracking and Identifying LIMINAL PANDA

In 2021, CrowdStrike attributed multiple telecommunications sector intrusions to the LightBasin activity cluster, which has consistently targeted telecom entities since at least 2016 using various custom tools. An extensive review of this intrusion activity has determined some of the events documented in a previous blog post are attributable to a separate adversary now tracked as LIMINAL PANDA. This association resulted because multiple threat actors were conducting malicious activity on a highly contested compromised network.

CrowdStrike has updated its advisories to reflect activity now tracked as LIMINAL PANDA and provided additional details on tactics, techniques, and proceedures, including the adversary’s use of publicly available proxy tools during their intrusions.

This new attribution does not impact the technical analysis regarding LightBasin’s malware and TTPs described in the original analysis.

CrowdStrike continues to track all other LightBasin reporting and associated malware families under the established activity cluster name and has released intelligence reporting, updating the LightBasin operational profile that provides accurate details regarding the actor’s target scope, TTPs and current malware attribution assessments.

LIMINAL PANDA Tools, Tactics and Behaviors

The LIMINAL PANDA adversary targets telecom providers with various tools that enable covert access, command and control, and data exfiltration. In 2020 and 2021, LIMINAL PANDA likely targeted multiple telecommunications providers, using access to these entities to compromise organisations.

The adversary demonstrates extensive knowledge of telecom networks, including understanding interconnections between providers and the protocols that support mobile telecommunications. LIMINAL PANDA emulates global systems for mobile communications protocols to enable command and control and develop tooling to retrieve mobile subscriber information, call metadata, and text messages.

LIMINAL PANDA employs a combination of custom malware, publicly available tools and proxy software to route command and control communications through different network segments.

LIMINAL PANDA conducts intrusion activity that poses a significant potential threat to telecommunications entities. The adversary targets these organisations to directly collect network telemetry and subscriber information or to breach other telecommunications entities by exploiting the industry’s interoperational connection requirements. LIMINAL PANDA’s likely operational motivations, indicated by their development and deployment of tooling specific to telecommunications technology, closely align with signals intelligence collection operations for intelligence gathering, as opposed to establishing access for financial gain.

LIMINAL PANDA has previously focused on telecommunications providers in Southern Asia and Africa, suggesting that their final targets likely reside in these regions; however, individuals roaming in these areas may also be targeted depending on the compromised network’s configuration and LIMINAL PANDA’s current access. Equally, depending on their current collection requirements, the adversary could employ similar TTPs to target telecoms in other regions.

CrowdStrike Intelligence assesses LIMINAL PANDA’s activity aligns with China-nexus cyber operations. This assessment is made with low confidence based on the following factors, which do not strongly indicate attribution on their own due to their non-exclusive nature:

  • argeting organisations operating in countries associated with China’s Belt and Road Initiative, a national-level strategy seeking to establish economic opportunities aligned with Beijing’s prioritised interests outlined in China’s 13th and 14th Five-Year Plans.
  • Using a Pinyin string (wuxianpinggu507) for SIGTRANSlator’s XOR key and the password for some of LIMINAL PANDA’s remote proxy services. This term is also similar to the domain wuxiapingg[.]ga, which was previously hosted on a LIMINAL PANDA- associated IP address. Several other domain names that overlap with LIMINAL PANDA’s infrastructure also used Pinyin representations of Mandarin terms, further suggesting actors associated with the group’s infrastructure likely speak Chinese.
  • Using the domain name wuxiapingg[.]ga as delivery infrastructure and C2 for Cobalt Strike, a commercially available remote access tool that China-nexus actors frequently use.
  • Using Fast Reverse Proxy and the publicly available TinyShell backdoor, both of which have also been used by multiple Chinese adversaries, including SUNRISE PANDA and HORDE PANDA.
  • Using VPS infrastructure supplied by Vultr, a provider commonly, albeit not exclusively, used by China-nexus adversaries and actors.

Recommendations

LIMINAL PANDA’s known intrusion activity has typically abused trust relationships between telecommunications providers and lax security policies, allowing the adversary to access core infrastructure from external hosts.

These recommendations can be implemented to help protect against the activity described in this blog:

  • Deploy an advanced, real-time endpoint protection and response (EDR) solution, such as CrowdStrike Falcon, across the network environment, including on servers considered inaccessible from the public internet;
  • Implement complex password strategies, avoiding default or generic options, for SSH authentication or employ more secure methods such as SSH key authentication, particularly on servers that accept connections from external organisations (e.g., eDNS servers);
  • Minimise the number of publicly accessible services operating on servers that accept connections from external organisations to those required for organisational interoperation;
  • Enforce internal network access control policies for servers according to role and requirement (e.g., minimise opportunities for access from eDNS servers to other management devices and network infrastructure unless necessary for administration purposes); in these cases, access should be constrained by secure authentication mechanisms;
  • Log SSH connections between internal servers and monitor them for anomalous activity;
  • Verify iptables rules implemented on servers, checking for the presence of abnormal entries that enable inbound access from unknown external IP addresses; and
  • Employ file integrity checking mechanisms on critical system service binaries such as iptables to identify if they are unexpectedly modified or replaced.
Share.