Liminal Panda: New Chinese Hacker Group Targets Telecoms
U.S. Senator Richard Blumenthal has declared that the operations of American technology companies in China pose a grave threat to U.S. national security. His statement was delivered during a Senate subcommittee hearing focused on cyber threats originating from China.
Blumenthal emphasized that the deep economic ties between the U.S. and China create significant risks for the nation. He drew particular attention to Elon Musk’s influence and the Pentagon’s reliance on SpaceX services. The senator noted that a substantial portion of Tesla’s production and sales is concentrated in China. Blumenthal also pointed out Musk’s public alignment with Chinese policies, including its stance on Taiwan, to protect his business interests in the country. According to Blumenthal, Chinese authorities may be leveraging Musk to exert influence on the U.S. government.
Apple also faced sharp criticism. Blumenthal underscored that the company complies with China’s demands for censorship and surveillance due to its heavy dependence on Chinese suppliers and market sales. The senator expressed doubt that SpaceX, Tesla, or Apple would prioritize U.S. security over their financial gains.
The hearing also addressed China’s cyber-espionage activities. CrowdStrike experts highlighted a new hacker group, Liminal Panda, which has infiltrated telecommunications networks across South Asia and Africa since 2020. The group employs malware, public tools, and proxies to gain network access, steal data, and surveil users. Liminal Panda uses proprietary tools such as TinyShell and ProxyChains to conceal its operations and control compromised systems.
Liminal Panda specializes in exploiting outdated and poorly secured communication protocols. In a recent incident, the group established multiple access channels to target networks, emulated GSM protocols to control attacks, and exfiltrated mobile user data, including call metadata and text messages. These tactics enabled detailed surveillance of individuals and the collection of device-specific data.
CrowdStrike reported that Chinese hackers have become more precise and strategic, focusing on gathering political, military, and scientific intelligence crucial to China’s interests. Rather than quick strikes, these groups now create long-term access to networks to collect data for future exploitation.
Particular attention was given to Vanguard Panda (also known as Volt Typhoon), which, according to experts, has already infiltrated critical U.S. systems. This activity is believed to be preparation for potential attacks in the event of heightened tensions over Taiwan. Experts warn that such actions could disrupt logistics and military operations, delaying the U.S. response to a crisis.
China has dismissed allegations surrounding Volt Typhoon as fabricated threats devised by the U.S. and its allies. Chinese authorities claim that U.S. intelligence agencies and the Five Eyes alliance conduct cyber espionage against China, France, Germany, Japan, and other nations while surveilling internet users worldwide. In July, Chinese experts published a report labeling Volt Typhoon as part of a disinformation campaign by American intelligence services.
Volt Typhoon, a codename for a Chinese cyber-espionage group identified by Western researchers, has reportedly targeted critical infrastructure since 2019. The group employs routers, firewalls, and VPNs to obscure its activities. In August 2024, Volt Typhoon was linked to the exploitation of a zero-day vulnerability in Versa Director, enabling the deployment of malware to exfiltrate sensitive data.
On May 24, 2023, the Five Eyes alliance issued a joint statement on Volt Typhoon’s activities, citing its connections to China. These conclusions were based on findings by Microsoft, but Chinese investigators conducted their own analysis, arguing that the group’s actions align more with ordinary cybercrime rather than state-sponsored operations.
