CrowdStrike’s Adam Meyers On ‘Up-Leveled’ Hacking By China, Threats To MSPs

With CrowdStrike uncovering another China-linked threat group focused on compromising telecom firms, the company’s threat intelligence head tells CRN that it’s a warning to all service providers that have access to client IT environments.

The uncovering of a second China-linked threat group focused on compromising telecommunications firms is a clear warning to all service providers that have access to client IT environments, CrowdStrike’s threat intelligence head told CRN.

This week, CrowdStrike’s Counter Adversary Operations unit disclosed its findings about a previously unknown threat actor known to target ISPs, which CrowdStrike is tracking as Liminal Panda.

It’s the second major Chinese hacking operation targeting ISPs to be disclosed recently, following the revelations about a cyber-espionage group tracked as Salt Typhoon. That threat actor has reportedly been responsible for recent compromises of Verizon, AT&T and T-Mobile, which have exposed customer data including communications involving U.S. officials.

In an interview with CRN, CrowdStrike’s Adam Meyers said the groups represent a concerning development in the strategy and capabilities of hacking groups connected to the Chinese government, which he said have clearly “up-leveled” their program.

From what’s known about the campaigns so far, it’s apparent that China-linked threat actors have shifted from targeting individual companies to focusing on compromising service providers that can potentially yield data from many different victims at once, said Meyers, senior vice president of counter adversary operations at CrowdStrike.

“It's a maturation of their program, simply put,” he said.

While these two groups are known to be targeting telecom firms at this point, China’s set of targets overall are “not just telcos,” Meyers said. “It's MSPs, it's consulting organizations, it's professional services organizations. They’re going to hit one victim that has multiple targets of interest.”

Ironically, he noted, “We were worried for years about one-off attacks against individual targets, which may have even driven a lot of those individual targets to say, ‘We can’t secure ourselves. We’re going to go to an MSP and we’re going to outsource that.’ And those MSPs now are becoming the new targets, and they need to be aware of that.”

The bottom line for MSPs is that “they need to recognize that they’re at a higher risk level than maybe even their individual customers are,” Meyers said.

Here is more of CRN’s interview with Meyers.

What are the main takeaways from these attacks?

I think the big takeaways are that we have a series of different Chinese threat actors—Salt Typhoon, Liminal Panda, there’s others out there—that have been targeting telco. In general, China has been very adept at increasing their ability to bulk collect [information]. The key story here is that five or six years ago, it was really about that smash-and-grab methodology—where they were using social engineering and emailed documents with exploits to drop Cobalt Strike or payloads. [Now they are] really focused on exploiting vulnerabilities in internet-facing appliances and gateways and systems, and they’re then using those vulnerabilities that they’ve exploited to gain an initial foothold and then move deeper into service providers. Their whole goal is to do bulk collection [of information].

What types of information are the threat actors typically seeking?

Full content [from communications], customer call data records, the ability to potentially get location information. There’s a lot you could do with that kind of information. What we’re talking about is Chinese nation-state threat actors who are specifically focused on being able to persistently collect intelligence across targets that they could select at the time that they need to collect that information. So rather than going after Company X to steal intellectual property or trade information or something like that, they’ve up-leveled it and they’re saying, ‘OK, let’s go after a telco. And then if we need to target somebody that’s a dissident, if we need to target somebody that’s a policymaker or a politician, now from the telco we can collect [information] on them. We can monitor who they’re texting with, and maybe even the content of their text messages. We can potentially monitor who they’re calling and potentially the content of the calls. We can monitor their location, and we can see, hey, if they’re moving from Point A to Point B, who else might be moving with them?’ And then that lets them expand their targeting capability there as well. It’s a maturation of their program, simply put.

What does this mean for defenders?

It means we need to mature our defenses, at a minimum. I think what we’re seeing is the cross-domain capability of these threat actors. We’ve seen Chinese threat actors have been able to attack identity, to attack cloud control planes, to attack ICT [information and communications technology] legacy devices, unmanaged devices in these telcos. So in that kind of world, where the Chinese have increased their capabilities, we need to be able to increase the visibility that the defenders have, making sure that they have the ability to identify this activity in the identity domain or in the cloud control plane, which is something that they don’t currently have. And I think it’s also really important to note that in these telcos they’re still dependent on legacy protocols, legacy systems. They have to maintain GSM [global system for mobile communication], for example. So they have to maintain protocols and technology that was cutting-edge in the ’90s. And those things are unmanaged. They don’t run modern security stacks. So that’s where things like next-gen SIEM become really important because you need to take that telemetry and bring it into the dashboard of all the other data and all the other systems that we have. You could defend your home computer or your work computer as much as you want, but you’re dependent on the telco to defend that infrastructure underneath your cellphone, and you have no oversight or bearing on that.

Since Liminal Panda has been mainly focused on Southeast Asia and Africa, is it possible they will branch out to other regions?

The thing that’s really important to keep in mind is that they’re using the infrastructure against the victims. The telcos are constantly talking to each other to kind of pass off information. So when you land in England and you turn on your phone, you connect to the local tower, it passes you back to your provider so that they can work out how to bill you. That is part of the interconnectedness of all the telcos. And so [threat actors] are able to jump between telcos. We’ve seen Liminal Panda in a couple of places, but that doesn’t mean that’s the only places they are. That just means that’s where we’ve been able to observe them. And they’re able to move back and forth and hop between telcos in many cases. It could also be that Salt Typhoon is more focused on the U.S. and Liminal Panda is focused on other areas.

How crucial is this targeting of telcos in their cyber strategy overall?

It’s not just telcos. It’s MSPs, it’s consulting organizations, it’s professional services organizations. They’re going to hit one victim that has multiple targets of interest. And so that’s really what we’re talking about with the maturation of their capabilities.

What do you think MSPs should take away from this?

They need to be vigilant. They need to realize they are being targeted by nation states like China. And they need to recognize that they’re at a higher risk level than maybe even their individual customers are. We’ve seen e-crime actors going down this path as well. [The strategy is to] ‘hack once, exploit many’—you have one victim, and there’s a whole set of sub-victims that you can pivot into. You can exploit that trust relationship or you can directly access the data by going into one of these MSPs, ISPs, telcos, professional services, consulting organizations. They’ve effectively become clearinghouses for information that you would want to steal or misuse.

I think it is an up-leveling of the techniques of China. We were worried for years about one-off attacks against individual targets, which may have even driven a lot of those individual targets to say, ‘We can’t secure ourselves. We’re going to go to an MSP and we're going to outsource that.’ And those MSPs now are becoming the new targets, and they need to be aware of that.

Any final thoughts on where this goes next?

We’re continuing to keep vigilant on this. We’re continuing to monitor it. And I think that this will continue over the coming years. And certainly, as the U.S. re-evaluates our position with China, we need to be prepared for the fact that we’re going to need to up-level all of our capabilities.