A highly sophisticated adversary named LightBasin has been
identified as behind a string of attacks targeting the telecom
sector with the goal of collecting “highly specific information”
from mobile communication infrastructure, such as subscriber
information and call metadata.
“The nature of the data targeted by the actor aligns with
information likely to be of significant interest to signals
intelligence organizations,” researchers from cybersecurity firm
CrowdStrike said[1]
in an analysis published Tuesday.
Known to be active as far back as 2016, LightBasin (aka UNC1945)
is believed to have compromised 13 telecommunication companies
across the world since 2019 by leveraging custom tools and their
extensive knowledge of telecommunications protocols for scything
through organizations’ defenses. The identities of the targeted
entities were not disclosed, nor did the findings link the
cluster’s activity to a specific country.
Indeed, a recent incident investigated by CrowdStrike found the
targeted intrusion actor taking advantage of external DNS (eDNS)
servers to connect directly to and from other compromised telecom
companies’ GPRS networks via SSH and through previously established
backdoors such as PingPong. The initial compromise is facilitated
with the help of password-spraying attacks, consequently leading to
the installation of SLAPSTICK malware to steal passwords and pivot
to other systems in the network.
Other indications based on telemetry data show the targeted
intrusion actor’s ability to emulate GPRS network access points so
as to perform command-and-control communications in conjunction
with a Unix-based backdoor called TinyShell, thereby enabling the
attacker to tunnel traffic through the telecommunications
network.
Among the multiple tools in LightBasin’s malware arsenal is a
network scanning and packet capture utility called “CordScan” that
allows the operators to fingerprint mobile devices, as well as
“SIGTRANslator,” an ELF binary that can transmit and receive data
via the SIGTRAN[2]
protocol suite, which is used to carry public switched telephone
network (PSTN) signaling over IP networks.
“It is not surprising that servers would need to communicate
with one another as part of roaming agreements between
telecommunications companies; however, LightBasin’s ability to
pivot between multiple telecommunications companies stems from
permitting all traffic between these organizations without
identifying the protocols that are actually required,” CrowdStrike
noted.
“As such, the key recommendation here is for any
telecommunications company to ensure that firewalls responsible for
the GPRS network have rules in place to restrict network traffic to
only those protocols that are expected, such as DNS or GTP,” the
company added.
The findings also come just as cybersecurity firm Symantec
disclosed details of a previously unseen advanced persistent threat
(APT) group dubbed “Harvester[3],” which has been linked
to an information-stealing campaign aimed at telecommunications,
government, and information technology sectors in South Asia since
June 2021 using a custom implant called “Graphon.”