A threat actor known as Liminal Panda has been conducting surveillance on mobile phones in Asia and Africa for over four years, according to recent revelations. The group’s activities were brought to light by Adam Meyers, senior vice president for counter-adversary operations at CrowdStrike, during his testimony before the US Senate Judiciary Subcommittee on Privacy, Technology, and the Law on Nov. 19.
During his testimony, Meyers focused on Chinese cyber threats to critical infrastructure and detailed the operations of Liminal Panda, an advanced persistent threat (APT) that is specifically targeting telecommunications networks in order to gather intelligence. Since 2020, the group has been utilizing network-based attacks to infiltrate and move between telcos across different regions, extracting SMS messages, unique identifiers, and other metadata related to mobile phones that could be advantageous to the Chinese government.
According to Meyers, Liminal Panda’s modus operandi involves infiltrating telcos’ IT network infrastructure to collect call and text records, as well as other sensitive identifying data. The group targets the core of the telco’s system where routing decisions are made, allowing them to intercept and gather information as it passes through the network.
To facilitate the extraction of this data, Liminal Panda has set up a command-and-control (C2) system that mimics the Global System for Mobile Communications (GSM), a standard used for mobile communications worldwide. This setup enables the group to exfiltrate information seamlessly while evading detection.
In addition to targeting specific telcos, Liminal Panda has been observed moving between different providers by leveraging the open lines of communication between them. By exploiting industry-specific protocols and abusing the Domain Name System (DNS), the group establishes multiple routes for traversing between providers, enhancing their ability to conduct surveillance undetected.
The ultimate goal of Liminal Panda’s activities is believed to be in line with China’s strategic interests. Meyers highlighted how oppressive governments often use telecommunications breaches to spy on foreign officials, dissidents, journalists, and academics. If Liminal Panda is indeed working on behalf of China, as assessed by CrowdStrike, then the spying campaign could serve both political and economic purposes by providing valuable information for major national projects and economic espionage initiatives.
Overall, the activities of Liminal Panda underscore the growing threats posed by sophisticated threat actors targeting critical infrastructure and telecommunications networks. As cybersecurity experts continue to monitor and counter these malicious actors, the need for increased vigilance and robust cybersecurity measures becomes increasingly imperative to safeguard sensitive data and mitigate the risks associated with such advanced threats.