LIMINAL PANDA Threat Actor Exploits Global Telecoms for Espionage Operations
LIMINAL PANDA Threat Actor Exploits Global Telecoms for Espionage Operations
The adversary tracked as LIMINAL PANDA, a state-sponsored group with probable ties to China, is unveiled in CrowdStrike’s latest report. Active as early as 2016, LIMINAL PANDA focuses strategically on telecommunications companies in Asia and Africa, with potential targeting of individuals traveling in these regions as well. The motivations of this threat actor appear explicitly oriented toward intelligence collection rather than financial gain. LIMINAL PANDA has infiltrated telecommunications networks using publicly available tools like TinyShell and ProxyChains, along with telecommunications-specific custom tools, such as CordScan and SIGTRANslator, reflecting a deep understanding of telecom network operations and the interconnected nature of global telecom infrastructures.
According to CrowdStrike, LIMINAL PANDA’s expertise in telecommunications is evident in its compromise of telecom servers and expansion into other providers across various regions. "The adversary demonstrates extensive knowledge of telecommunications networks, including understanding interconnections between providers. LIMINAL PANDA has used compromised telecom servers to initiate intrusions into further providers in other geographic regions,” CrowdStrike reports. The adversary's objective centers on signals intelligence (SIGINT) operations, using this expanded access to exfiltrate critical telecom data, including mobile subscriber information, call metadata, and SMS records. Such capabilities indicate a high level of technical skill, particularly in leveraging mobile protocols like GSM to establish command and control (C2) connections.
LIMINAL PANDA’s toolkit includes both public and custom tools that enable covert access and data exfiltration, specifically designed to maintain persistent access in targeted telecom networks. The group uses custom tools like CordScan and SIGTRANslator to facilitate real-time mobile data collection. CrowdStrike notes, "The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata and text messages (SMS)." This focus on mobile-specific protocols supports their intelligence-gathering objectives and sets them apart from financially motivated actors.
CrowdStrike assesses with low confidence that LIMINAL PANDA’s activities align with China-nexus cyber operations, based on linguistic patterns and targeting consistent with China’s geopolitical interests. "LIMINAL PANDA’s activity aligns with China-nexus cyber operations. This assessment is made with low confidence," CrowdStrike states, attributing the low confidence to non-exclusive indicators like the use of Pinyin in malware code and the targeting of entities related to China’s Belt and Road Initiative (BRI). The group’s use of Chinese infrastructure providers and domain naming conventions further suggests this link. As LIMINAL PANDA continues to leverage trust relationships within telecom networks, the group poses a substantial and ongoing risk to telecommunications infrastructure worldwide, especially in regions strategically significant to China.