Telecommunications organizations in Southeast Asia have been targeted by a state-sponsored threat actor known as CL-STA-0969 to facilitate remote control over compromised networks.
Palo Alto Networks Unit 42 said it observed multiple incidents in the region, including one aimed at critical telecommunications infrastructure between February and November 2024.
The attacks are characterized by the use of several tools to enable remote access, as well as the deployment of Cordscan, which can collect location data from mobile devices.
However, the cybersecurity company said it found no evidence of data exfiltration from the networks and systems it investigated. Nor were any efforts made by the attackers to track or communicate with target devices within mobile networks.
“The threat actor behind CL-STA-0969 maintained high operational security (OPSEC) and employed various defense evasion techniques to avoid detection,” security researchers Renzon Cruz, Nicolas Bareil, and Navin Thomas said.
CL-STA-0969, per Unit 42, shares significant overlaps with a cluster tracked by CrowdStrike under the name Liminal Panda, a China-nexus espionage group that has been attributed to attacks directed against telecommunications entities in South Asia and Africa since at least 2020 with the goal of intelligence gathering.
It’s worth noting that some aspects of Liminal Panda’s tradecraft were previously attributed to another threat actor called LightBasin (aka UNC1945), which has also singled out the telecom sector since 2016. LightBasin, for its part, overlaps with a third cluster dubbed UNC2891, a financially motivated crew known for its attacks on Automatic Teller Machine (ATM) infrastructure.
“While this cluster significantly overlaps with Liminal Panda, we have also observed overlaps in attacker tooling with other reported groups and activity clusters, including Light Basin, UNC3886, UNC2891, and UNC1945,” the researchers pointed out.
In at least one case, CL-STA-0969 is believed to have employed brute-force attacks against SSH authentication mechanisms for initial compromise, leveraging the access to drop various implants such as –
- AuthDoor, a malicious Pluggable Authentication Module (PAM) that works similar to SLAPSTICK (originally attributed to UNC1945) to conduct credential theft and provide persistent access to the compromised host via a hard-coded magic password
- Cordscan, a network scanning and packet capture utility (previously attributed to Liminal Panda)
- GTPDOOR, a malware explicitly designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges
- EchoBackdoor, a passive backdoor that listens for ICMP echo request packets containing command-and-control (C2) instructions to extract the command and send the results of the execution back to the server via an unencrypted ICMP Echo Reply packet
- Serving GPRS Support Node (SGSN) Emulator (sgsnemu), an emulation software to tunnel traffic via the telecommunications network and bypass firewall restrictions (previously attributed to Liminal Panda)
- ChronosRAT, a modular ELF binary that’s capable of shellcode execution, file operations, keylogging, port forwarding, remote shell, screenshot capture, and proxy capabilities
- NoDepDNS (internally referred to as MyDns), a Golang backdoor that creates a raw socket and passively listens for UDP traffic on port 53 to parse incoming commands via DNS messages
“CL-STA-0969 leveraged different shell scripts that established a reverse SSH tunnel along with other functionalities,” Unit 42 researchers noted. “CL-STA-0969 systematically clears logs and deletes executables when they are no longer needed, to maintain a high degree of OPSEC.”
Adding to the already broad portfolio of malicious tools that the threat actor has deployed are Microsocks proxy, Fast Reverse Proxy (FRP), FScan, Responder, and ProxyChains, as well as programs to exploit flaws in Linux and UNIX-based systems (CVE-2016-5195, CVE-2021-4034, and CVE-2021-3156) to achieve privilege escalation.
Besides using a combination of bespoke and publicly available tooling, the threat actors have been found to adopt a number of strategies to fly under the radar. This encompasses DNS tunneling of traffic, routing traffic through compromised mobile operators, erasing authentication logs, disabling Security-Enhanced Linux (SELinux), and disguising process names with convincing names that match the target environment.
“CL-STA-0969 demonstrates a deep understanding of telecommunications protocols and infrastructure,” Unit 42 said. “Its malware, tools and techniques reveal a calculated effort to maintain persistent, stealthy access. It achieved this by proxying traffic through other telecom nodes, tunneling data using less-scrutinized protocols and employing various defense evasion techniques.”
China Accuses U.S. Agencies of Targeting Military and Research Institutions
The disclosure comes as the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) accused U.S. intelligence agencies of weaponizing a Microsoft Exchange zero-day exploit to steal defense-related information and hijack more than 50 devices belonging to a “major Chinese military enterprise” between July 2022 and July 2023.
The agency also said high-tech military-related universities, scientific research institutes, and enterprises in the country were targeted as part of these attacks to siphon valuable data from compromised hosts. Among those targeted was a Chinese military enterprise in the communications and satellite internet sectors that was attacked from July to November of 2024 by exploiting vulnerabilities in electronic file systems, CNCERT alleged.
The attribution effort mirrors tactics from the West, which has repeatedly blamed China for major cyber attacks, counting the latest zero-day exploitation of Microsoft SharePoint Server.
Asked last month about Chinese hacking into U.S. telecom systems and theft of intellectual property on Fox News, U.S. President Donald Trump said, “You don’t think we do that to them? We do. We do a lot of things. That’s the way the world works. It’s a nasty world.”
