Summary:
CrowdStrike has identified a previously unknown Chinese cyber espionage group, Liminal Panda, which has been active since at least 2020 and is believed to be behind cyber intrusions targeting telecom providers. These intrusions were previously attributed to the Chinese hacking group LightBasin (UNC1945). Liminal Panda’s primary targets are telecom companies in countries associated with China’s Belt and Road Initiative (BRI), and their activities align with signals intelligence (SIGINT) gathering operations. The group has used a variety of tools, including custom malware and publicly available backdoors, to exploit vulnerabilities in telecom infrastructure. CrowdStrike has provided several mitigation strategies to help defend against Liminal Panda’s tactics.

Security Officer Comments:
Liminal Panda's intrusion campaigns seem to be part of a broader Chinese strategy to monitor and exploit telecom providers, particularly in regions where China’s geopolitical interests are focused. Their operations appear sophisticated, targeting not just specific companies but entire networks, often exploiting industry-specific trust relationships and interconnections. This group's activities demonstrate a high level of technical expertise in telecommunications, further indicating its likely ties to state-sponsored operations. While the group’s direct link to the Chinese government remains inconclusive, the patterns, tools, and targets suggest a strong China nexus, with potential geopolitical motivations rather than financial gain.

Suggested Corrections:
CrowdStrike recommends several key security measures to mitigate risks posed by Liminal Panda: