CL-STA-0969 Deploys Hidden Malware in Telecommunications Infrastructures Throughout a 10-Month Intelligence Gathering Operation.

Telecommunications organisations in Southeast Asia have been targeted by a state-sponsored threat actor known as CL-STA-0969, which aims to facilitate remote control over compromised networks. Palo Alto Networks Unit 42 reported multiple incidents in the region, including one that specifically targeted critical telecommunications infrastructure between February and November 2024. The attacks are characterised by the use of various tools to enable remote access, including the deployment of Cordscan, a tool capable of collecting location data from mobile devices. However, the cybersecurity firm found no evidence of data exfiltration from the networks and systems it investigated. Additionally, there were no attempts by the attackers to track or communicate with target devices within mobile networks. The researchers, Renzon Cruz, Nicolas Bareil, and Navin Thomas, noted that CL-STA-0969 maintained high operational security (OPSEC) and employed numerous defence evasion techniques to avoid detection.

Unit 42 indicated that CL-STA-0969 shares significant overlaps with a cluster tracked by CrowdStrike under the name Liminal Panda, a China-nexus espionage group attributed to attacks against telecommunications entities in South Asia and Africa since at least 2020. Some aspects of Liminal Panda’s tradecraft have previously been linked to another threat actor called LightBasin (also known as UNC1945), which has targeted the telecom sector since 2016. LightBasin overlaps with a third cluster known as UNC2891, a financially motivated group recognised for its attacks on Automatic Teller Machine (ATM) infrastructure. The researchers highlighted that CL-STA-0969 is believed to have employed brute-force attacks against SSH authentication mechanisms for initial compromise, allowing the deployment of various implants, including AuthDoor, Cordscan, GTPDOOR, EchoBackdoor, and the Serving GPRS Support Node (SGSN) Emulator (sgsnemu), which facilitate unauthorised access and data manipulation within telecommunications networks.