Liminal Panda
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | China |
LIMINAL PANDA is a China-nexus state-sponsored actor tracked by CrowdStrike that has been targeting telecommunications entities since at least 2020. This adversary has been observed using custom tools to enable covert access, command and control (C2), and data exfiltration. According to CrowdStrike researchers, the group shows an extensive knowledge of telecommunications networks, including understanding interconnections between providers. They employ various techniques, such as emulating global system for mobile communications (GSM) protocols to enable C2 and developing tools to retrieve mobile subscriber information, call metadata, and text messages. Their activities align with signals intelligence (SIGINT) collection operations for intelligence gathering (espionage), rather than financial gain.
CrowdStrike reporting suggests that LIMINAL PANDA's operations have been primarily focused on telecommunications providers in southern Asia and Africa, but their tactics could be employed to target telecoms in other regions depending on their current collection requirements. Their assessment on attribution to China is made with low confidence but includes factors such as targeting aligned to China's Belt and Road Initiative, use of Pinyin in attacker controlled infrastructure and overlap in tools and infrastructure with other Chinese adversaries.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph