· Cybersecurity · 4 min read
Hackers Plant Covert Malware in Major Telecom Networks
A state-sponsored threat actor, identified as CL-STA-0969, has been targeting telecommunications organizations in Southeast Asia to facilitate remote control over their compromised networks.
Palo Alto Networks Unit 42 reported observing multiple incidents in the region, including a prolonged attack on critical telecommunications infrastructure that lasted from February to November 2024. The attacks are characterized by the use of several tools to enable remote access and the deployment of Cordscan, a malware capable of collecting location data from mobile devices.
Despite the intrusion, the cybersecurity firm stated it found no evidence of data exfiltration from the investigated networks. The attackers also made no apparent effort to track or communicate with target devices within the mobile networks.
“The threat actor behind CL-STA-0969 maintained high operational security (OPSEC) and employed various defense evasion techniques to avoid detection,” said security researchers Renzon Cruz, Nicolas Bareil, and Navin Thomas in a report.
Overlapping Threat Actors
Unit 42 noted that CL-STA-0969 shares significant overlaps with a cluster tracked by CrowdStrike as Liminal Panda, a China-nexus espionage group. Liminal Panda has been linked to attacks on telecommunications entities in South Asia and Africa since at least 2020 for intelligence gathering purposes.
It’s also worth noting that some of Liminal Panda’s tactics were previously attributed to another threat actor known as LightBasin (or UNC1945), which has also been targeting the telecom sector since 2016. LightBasin, in turn, overlaps with a third cluster, UNC2891, a financially motivated group known for its attacks on Automatic Teller Machine (ATM) infrastructure.
“While this cluster significantly overlaps with Liminal Panda, we have also observed overlaps in attacker tooling with other reported groups and activity clusters, including Light Basin, UNC3886, UNC2891, and UNC1945,” the researchers pointed out.
Tools of the Trade
In at least one case, CL-STA-0969 is believed to have used brute-force attacks against SSH authentication for initial compromise. From there, the actor deployed various implants, including:
AuthDoor: A malicious Pluggable Authentication Module (PAM) that functions similarly to SLAPSTICK, stealing credentials and providing persistent access via a hard-coded magic password.
Cordscan: A network scanning and packet capture utility previously attributed to Liminal Panda.
GTPDOOR: A malware specifically designed for deployment in telecom networks adjacent to GPRS roaming exchanges.
EchoBackdoor: A passive backdoor that listens for ICMP echo requests containing C2 instructions and sends results back via an unencrypted ICMP Echo Reply packet.
SGSN Emulator (sgsnemu): An emulation software used to tunnel traffic through the telecom network, bypassing firewall restrictions. Also previously linked to Liminal Panda.
ChronosRAT: A modular ELF binary capable of shellcode execution, file operations, keylogging, port forwarding, remote shell, screenshot capture, and proxying.
NoDepDNS (MyDns): A Golang backdoor that creates a raw socket to passively listen for commands delivered via DNS messages on UDP port 53.
“CL-STA-0969 leveraged different shell scripts that established a reverse SSH tunnel along with other functionalities,” the researchers noted. “CL-STA-0969 systematically clears logs and deletes executables when they are no longer needed, to maintain a high degree of OPSEC.”
The threat actor’s broad portfolio of malicious tools also includes Microsocks proxy, Fast Reverse Proxy (FRP), FScan, Responder, and ProxyChains. Additionally, they used programs to exploit Linux and UNIX-based system flaws (CVE-2016-5195, CVE-2021-4034, and CVE-2021-3156) for privilege escalation.
Advanced Evasion Tactics
Beyond using a mix of bespoke and public tools, the threat actors employed several strategies to fly under the radar. These tactics include DNS tunneling, routing traffic through other compromised mobile operators, erasing authentication logs, disabling Security-Enhanced Linux (SELinux), and disguising process names to blend in with the target environment.
“CL-STA-0969 demonstrates a deep understanding of telecommunications protocols and infrastructure,” Unit 42 concluded. “Its malware, tools and techniques reveal a calculated effort to maintain persistent, stealthy access. It achieved this by proxying traffic through other telecom nodes, tunneling data using less-scrutinized protocols and employing various defense evasion techniques.”
China Accuses U.S. Agencies of Targeting Military and Research Institutions
This disclosure coincides with an accusation from the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT). CNCERT alleged that U.S. intelligence agencies weaponized a Microsoft Exchange zero-day exploit to steal defense-related information and hijack over 50 devices from a “major Chinese military enterprise” between July 2022 and July 2023.
The agency also claimed that high-tech military universities, research institutes, and enterprises in China were targeted to siphon valuable data. Among them was a military enterprise in the communications and satellite sectors, allegedly attacked from July to November 2024 by exploiting vulnerabilities in its electronic file systems.
This attribution effort mirrors tactics from the West, which has repeatedly blamed China for major cyber attacks.
When asked about Chinese hacking of U.S. telecom systems on Fox News last month, U.S. President Donald Trump commented, “You don’t think we do that to them? We do. We do a lot of things. That’s the way the world works. It’s a nasty world.”
Share this post
News Feed
Get the Hottest Cybersecurity News Delivered to You!
Thank you!
You have successfully joined our subscriber list.
