Share this article on:
Chinese state-sponsored actors have become a major concern for western nations and organisations.
Volt Typhoon was found maintaining persistent access to US critical infrastructure for at least five years, whilst US telcos suffered as part of a wider espionage campaign conducted by Salt Typhoon.
Now, cyber security giant Crowdstrike has lifted the lid on LIMINAL PANDA, a threat actor that has been observed targeting telecommunications entities and performing mass data exfiltration.
Cyber Daily sat down with Crowdstrike Senior Vice President of Counter Adversary Operations Adam Meyers to discuss the LIMINAL PANDA findings.
Hi Adam, thanks for joining me today. Why don’t you start by introducing yourself?
Hey, I'm Adam Meyers. I run counter-adversary operations at CrowdStrike. This is a combination of our threat intelligence and threat hunting teams. And our job is to find and ultimately disrupt the bad guys when they start trying to gain access to our customers' environments.
Now today we're discussing the state-sponsored activity on US telcos by a group being referred to as LIMINAL PANDA, something CrowdStrike has just published a detailed blog post on. Adam, can you give us a quick run down on the threat group?
We track 60-plus China nexus adversaries, and 15 of them have targeted telcos in recent months. Salt Typhoon, which has been in the process quite a bit here, has attracted a lot of attention.
Now we have also introduced LIMINAL PANDA, which is a threat actor that we have recently started tracking under that name. It was something we had previously kind of lumped in with another threat actor, which we track as LightBasin, though the LightBasin threat actor is not from China, but they were kind of on some of the similar targets.
After careful investigation, we realized it was two different adversaries. So, we started tracking LIMINAL PANDA separately.
How are LIMINAL PANDA breaching these networks? What are their key attack vectors?
I think we're seeing a lot of exploitation of external-facing devices, routers, gateways, things like that.
We've seen an uptick in Chinese targeting of external resources in the last couple of years. The Chinese have kind of consolidated their vulnerability research, when they modified the national security law back in 2018.
Typically in the U.S. or the U.K. or Australia, people would submit the vulnerability back to the vendor for analysis, and then ultimately they would fix it and then release it.
What we've seen in China is that they've actually kind of forced that process through the government, the MIT up to CNIT sec and subordinates to the Ministry of State Security. So vulnerability researchers have to submit all the vulnerabilities found in Australia through the DSD or something like that.
Then they decide if they want to actually notify the vendor or if they want to use it for offensive operations. That's where we've seen the Chinese kind of modify their research, and what we're seeing is that there's an uptick in zero days and previously unknown vulnerabilities that they're then using against edge devices, gateways, VPN concentrators, all kinds of externally facing things.
Chinese intrusion activity was previously characterized by smash and grab, where they would use email and would social engineer somebody to click on an attachment, open it up and that would be the end of the day for them.
Now, they're really focused on using their persistent collection from things like telcos or managed service providers, or they'll target professional services or consulting firms and things like that. And this is how they are maintaining access at these higher level organizations.
What I'll say about LIMINAL PANDA additionally is that they have a lot of specific tooling that we disclosed in that blog post that they understand. They understand telco protocols. They understand legacy telecommunications protocols like GSM and GPRS and they've been able to hide some of their intrusion activity, their command and control information, things like that inside of legacy protocols that are not well understood by cybersecurity professionals.
Most of the time, they don't instrument them. They don't have visibility into those protocols. So, it basically becomes very difficult for a good guy to try to find it and track it.
In some cases, they've maintained persistent access for long periods of time. In other cases, we've disrupted them. Typically, we're disrupting them either by doing an incident response engagement where they think something's wrong and they want to investigate it or they might be worried that there's an adversary there that they're not aware of. So, we'll do a compromise assessment and we'll find them or they're using our threat hunting service Overwatch and the Overwatch team finds something and then through that investigation, we're able to dig into it.
So what are the goals of these espionage operations? Seems like a silly question but why telcos and what data is being collected?
It's a bulk collection. It signals intelligence information that they're collecting through cyber means. They want, again, persistent access. For example, let's say there's a dissident that they have a problem with or maybe somebody who's making a lot of money and they don't like how they're doing it or they're making a lot of money and they're not going along with what the CCP is saying.
So, they want to put the screws to them, and we've seen evidence of MPS from China here in the US even where they're running these secret police stations and they're able to apply pressure to Chinese dissidents and people that are here and compel them to go back to China to stand trial or to go into a re-education type of situation.
So we know other Chinese state-sponsored threat groups have spent a long time on victim networks. Volt Typhoon for example were on critical infrastructure networks for at least five years according to reports. Have we seen LIMINAL PANDA spend a long time on these networks using living-off-the-land techniques?
So this is all extending the reach of China, where LIMINAL PANDA targeting is certainly consistent with things like the Belt and Road Initiative or some of the five-year plans or the Made in China 2025 initiative.
Volt Typhoon, specifically what we call Vanguard Panda, is a whole other set of concerns because that's pre-positioning, we believe, or operational preparation of the environment, and they're attempting to maintain access so that if there is a conflict around something like Taiwan that they can use that access to disrupt key logistics lines and disrupt the movement of material for the military which would perhaps slow or otherwise disrupt the US response.
That's the concern. I don't know that we've got hard proof behind that. It's really just looking at who they're targeting and the fact that they are maintaining consistent access so that they'll touch the infrastructure and make sure that they still have access but that they're not deploying things, that would be clear intent that that's what they're doing.
Thanks very much Adam, it was an absolute pleasure.
My pleasure to you and hopefully we can catch up again soon.