13 Telecom Service Providers Breached by LightBasin Since 2019
Reading Time: 2 minutes

At Least 13 telecom service providers were breached by LightBasin, a highly sophisticated adversary. The aim behind these attacks was to collect “highly specific information” from mobile communication infrastructures, such as subscriber information and call metadata.

According to CrowdStrike researchers, “The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.”

LightBasin, aka UNC1945, has been active since 2016, been behind the breach of 13 telecom company’s across the world since 2019. The bad actors use custom tools and extensive knowledge of telecom protocols to penetrate through the organization’s defenses. The finding did not link the cluster to any specific country nor were the identities of the targeted entities disclosed.

According to CrowdStrike the targeted intrusion actor took advantage of external DNS (eDNS) servers to connect directly to and from other compromised telecom companies’ GPRS networks via SSH and previously established backdoors such as PingPong. The first attack is carried out with the help of password-spraying attacks, finally leading to the installation of SLAPSTICK malware to steal passwords and pivot to other systems in the network.

Also, the telemetry data shows the targeted intrusion actor’s ability to emulate GPRS network access points. This allows them to perform command-and-control communications in conjunction with a Unix-based backdoor called TinyShell. Enabling the attacker to tunnel traffic through the telecommunications network.

LightBasin’s malware arsenal comprises network scanning and packet capture utility called “CordScan”. This allows them to fingerprint mobile devices, as well as “SIGTRANslator,” an ELF binary that can transmit and receive data via the SIGTRAN protocol suite. This is used to carry public switched telephone network (PSTN) signaling over IP networks.

CrowdStrike in a blog post mentioned, “It is not surprising that servers would need to communicate with one another as part of roaming agreements between telecommunications companies; however, LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required.”

They further added, “As such, the key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP.”

Earlier Symantec disclosed details of a previously unseen advanced persistent threat (APT) group dubbed “Harvester.” It has been linked to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021 using a custom implant called “Graphon.”

Related Articles:

Squirrel Engine Bug Can Allow Hackers to hack games and Cloud Services
Chinese government website for Qinghai Province was hacked by Anonymous
Over 30 Countries Pledge to Fight Ransomware Attacks in US-led Global Meeting