For context this is a tool deployed by a Chinese based threat actor referred to as LightBasin [1]. I believe them to be an adjacent team to the more well known Mustang Panda [2], but focused specifically on access to telecom infrastructure.
Don't think of a specific named actor as a tight knit group of hackers that own a project start to finish like you'd see in the movies. Really what we are identifying is a specific team within a multi-thousand person organization (or cooperating organizations). Just like any other big organization projects get handed off between teams based on their specializations.
LightBasin is a group that is highly experienced in telecommunications that is able to identify specific hardware from vendors and probably has the same gear sitting in a lab to test on. They are focused on COMINT collection and exploitation. There has been no evidence of them doing initial access work (establishing a foothold within specific networks), so they are likely being given access and then using their domain knowledge to pivot between different telcom providers on shared networks.
Mustang Panda on the other hand focuses on initial access to organizations and then stealing credentials, intellectual property, and most importantly internal documentation. You can start to see how these two groups would work hand-in-hand.
Based on victimology I believe the two to be within an organizational structure where information passes from one to the other. It is impossible to definitively state one way or the other without having information from within the Chinese government.
If you want further info, my email is in my profile.
Makes a lot of sense, mustang panda is heavy on document collection on target systems. Almost certainly a PLA intel gathering unit (like a cia team) as opposed to an MSS team but then again if their target was dissidents or political interests that disproves my theory.
1. https://malpedia.caad.fkie.fraunhofer.de/actor/lightbasin 2. https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda