Cyber Threat Report: 'Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector'

This blog post describes LIMINAL PANDA, a China-nexus advanced persistent threat (APT) group identified by CrowdStrike, active since at least 2020. This actor primarily targets the telecommunications sector, leveraging its extensive knowledge of telecom networks and protocols. LIMINAL PANDA employs a combination of custom tools and publicly available software to enable persistent access, command and control (C2), and data exfiltration. Notable tools include SIGTRANslator, CordScan, and PingPong, which are tailored to exploit telecommunications infrastructure. The group has been observed emulating GSM protocols, retrieving sensitive subscriber information, and exploiting inter-provider trust relationships to propagate across networks. These activities align with signals intelligence (SIGINT) collection objectives, suggesting a focus on intelligence gathering and espionage rather than financial gain. Attribution to LIMINAL PANDA is supported by several indicators, including the use of Pinyin strings in malware and infrastructure, as well as targeting entities aligned with China’s Belt and Road Initiative (BRI). The group’s operational motivations and techniques strongly suggest alignment with broader Chinese cyber operations although an exact threat actor behind the intrusions has not been identified. LIMINAL PANDA has predominantly targeted telecommunications providers in regions such as southern Asia and Africa, exploiting the industry’s interconnected nature to breach additional entities.