A “highly sophisticated” hacking group called LightBasin has harvested mobile network data from at least 13 telecoms companies in the past two years, according to CrowdStrike researchers.
The group, also known as UNC1945, was first revealed by Mandiant researchers in November 2020, who showed the hackers were targeting financial and professional consulting enterprises through compromising their managed service providers (MSPs).
CrowdStrike said the group uses custom tools and “in-depth knowledge” of telecommunication network architecture to harvest data of value to signals intelligence agencies.
Active since at least 2016, LightBasin has moved on to target telcos by establishing implants across Linux and Solaris systems, which run a combination of critical infrastructure for the sector.
While CrowdStrike said at least 13 telcos had been affected by the group’s two-year campaign, none of the firms targeted were named.
“Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control and utilising scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata,” said CrowdStrike in a blog.
It said LightBasin is a “highly sophisticated adversary”, and the nature of the data targeted, as well as the range of capabilities shown, is consistent with “a signals intelligence organisation with a need to respond to collection requirements against a diverse set of target environments”.
CrowdStrike senior vice-president Adam Meyers told Reuters that the attackers were able to retrieve specific data unobtrusively, adding: “I’ve never seen this degree of purpose-built tools.”
Although Reuters and other media reports have tied the hackers to China, the CrowdStrike report noted that while the cryptography used by the group does rely on Pinyin phonetic versions of Chinese language characters, “CrowdStrike Intelligence does not assert a nexus between LightBasin and China”.
The report also said LightBasin exercised a strong operational security (opsec) strategy, and that it managed to initially compromise one of the telecoms companies leveraging external DNS (eDNS) servers – part of the General Packet Radio Service (GPRS) network that play a key role in roaming between different mobile operators – to connect to other compromised networks via SSH and through previously established implants.
“LightBasin initially accessed the first eDNS server via SSH from one of the other compromised telecommunications companies, with evidence uncovered indicative of password-spraying attempts using both extremely weak and third-party-focused passwords (eg huawei), potentially helping to facilitate the initial compromise,” it said.
“Subsequently, LightBasin deployed their Slapstick PAM backdoor on the system to siphon credentials to an obfuscated text file. As part of early lateral movement operations to further their access across the network, LightBasin then pivoted to additional systems to set up more Slapstick backdoors.”
It also said LightBasin’s ability to pivot between multiple companies stems form those firms’ roaming agreements, which permit all traffic between these organisations without identifying the protocols that are actually required.
“As such, the key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP,” said the report, adding that simply restricting network traffic will not solve the issue if a company has already been the victim of an intrusion.
“In this event, CrowdStrike recommends an incident response investigation that includes the review of all partner systems alongside all systems managed by the organisation itself,” it added. “Similarly, if an organisation wishes to determine whether they’ve fallen victim to LightBasin, any compromise assessment must also include a review of all of the aforementioned systems.”
CrowdStrike further recommended that telcos carry out an evaluation of the security controls in place with third-party MSPs, because its investigations commonly reveal a lack of monitoring or security tooling on core network systems.
It said any incident response plan devised by telecoms companies should lay out the MSPs roles and responsibilities, so that firms can acquire forensic artifacts not directly under their own management.