Chinese cyberspies, Musk’s Beijing ties, labelled ‘real risk’ to US security by senator
Meet Liminal Panda, which prowls telecom networks in South Asia and Africa
A senior US senator has warned that American tech companies’ activities in China represent a national security risk, in a hearing that saw infosec biz CrowdStrike testify it has identified another cyber-espionage crew it believes is backed by Beijing.
The warning came from Senator Richard Blumenthal (D-CT), who chairs the Senate Committee on the Judiciary’s subcommittee on Privacy, Technology. At a Tuesday hearing titled, “Big Hacks & Big Tech: China’s Cybersecurity Threat”, the senator used his opening remarks to state “extensive economic ties and China's willingness to exploit them are a dangerous combination, a real risk to this country.”
Blumenthal focused on Elon Musk and the Pentagon's increasing reliance on the super-tycoon's SpaceX services.
"Tesla makes half of its cars and as much as a third of its sales in China," the senator added. "Elon Musk is so concerned about protecting Tesla's market access that he pledged to uphold 'core socialist values' in China. He has been parroting Chinese talking points on Taiwan. Senior Chinese officials are even looking to use Mr. Musk to influence the White House."
Blumenthal also blasted Apple.
"Apple complies with China's censorship and surveillance demand because 20 percent of its sales and 80 percent of its suppliers are based in China. When forced to choose between American security and hugely profitable access to the Chinese market, Americans may doubt that SpaceX, Mr Musk, Tim Cook and other technology leaders will side with America," Blumenthal said.
Yet another unpleasant Panda
Much of the hearing focused on Chinese cyberspies, which gave CrowdStrike Senior VP of Counter Adversary Operations Adam Meyers the chance to use his testimony to discuss a Tuesday report in which his company identified another alleged a Beijing-linked cyberspy crew, Liminal Panda.
Liminal Panda is one of 63 different "Pandas" that CrowdStrike tracks — this is the designation that the cybersecurity firm gives to network intruders based in or linked to China – and Meyer said this one has been sneaking into telecommunications networks in South Asia and Africa since at least 2020.
Liminal Panda is not the same entity as Salt Typhoon. The latter cyber-espionage gang is also relatively new and has been accused by the US government of compromising "multiple" telcos in the US.
In 2020 and 2021, Liminal Panda "likely targeted multiple telecommunications providers, using access to these entities to compromise organizations," CrowdStrike’s report states. The infosec outfit, best known lately for that massive Windows screw-up, believes the crew uses a mix of custom malware, publicly available tools and proxy software to provide covert access, route command-and-control (C2) communications and ultimately steal sensitive data.
The group is also especially adept at understanding interconnections between providers and exploiting protocols that support mobile telecommunications — "legacy protocols that are largely unmanaged and unknown to cybersecurity professionals," Meyers told the Subcommittee.
In his testimony, Meyers detailed a recent incident that saw Liminal Panda compromise telecom networks, install multiple access routes to the targeted organizations, and snoop on their customers.
"The adversary ultimately emulated the global system for mobile communications (GSM) protocols to enable Command and Control (C2) and developed tooling to retrieve mobile subscriber information, call metadata and text messages, and facilitate data exfiltration," Meyers stated in his written remarks.
"Actions on objectives indicated additional adversary aims of surveilling targeted individuals by gathering metadata about their cellular devices," the testimony added.
Meyers has tracked China-based threats for more than two decades, and testified they have evolved from "smash-and-grab" raids to targeted activities that focus on high-value individuals and information. That often means targeting sources of political and military secrets, and intellectual property that can advance China's national interests.
- China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer
- T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears
- Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign'
- SpaceX claims another Starship success, but fumbles the catch
Recent revelations about a group named Salt Typhoon demonstrate China’s intentions. Salt Typhoon is the Chinese government-linked cyberespionage crew suspected of breaking into T-Mobile US to some degree, plus Verizon, AT&T, and Lumen Technologies' networks. During some of those alleged breaches, they reportedly compromised certain providers' systems for handling lawful wiretapping by law enforcement and accessed phones belonging to US politicians and campaigns.
"This sophistication isn't necessarily just to be measured in terms of how they get in, but what they do when they get in," Meyers told the lawmakers.
"This really belies what their intention is: To collect large amounts of information that they can later exploit," he added. "They are now maintaining persistent and enduring access to those targets in order to continuously collect large amounts of information and exploit downstream relationships to other interesting targets."
Meyers also expressed "concern about prepositioning" by some Chinese groups. He singled out Vanguard Panda, aka Volt Typhoon, which the Feds and private security researchers feel has burrowed into US critical infrastructure to prepare for future disruptive attacks.
"If there was to be, for example, an escalation around Taiwan, they could use that access to disrupt logistic or military operations or critical infrastructure in the region that would potentially slow or disrupt the US response," Meyers said. ®