A highly sophisticated adversary named LightBasin has been identified as behind a string of attacks targeting the telecom sector with the goal of collecting "highly specific information" from mobile communication infrastructure, such as subscriber information and call metadata.
"The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations," researchers from cybersecurity firm CrowdStrike said in an analysis published Tuesday.
Known to be active as far back as 2016, LightBasin (aka UNC1945) is believed to have compromised 13 telecommunication companies across the world since 2019 by leveraging custom tools and their extensive knowledge of telecommunications protocols for scything through organizations' defenses. The identities of the targeted entities were not disclosed, nor did the findings link the cluster's activity to a specific country.
Indeed, a recent incident investigated by CrowdStrike found the targeted intrusion actor taking advantage of external DNS (eDNS) servers to connect directly to and from other compromised telecom companies' GPRS networks via SSH and through previously established backdoors such as PingPong. The initial compromise is facilitated with the help of password-spraying attacks, consequently leading to the installation of SLAPSTICK malware to steal passwords and pivot to other systems in the network.
Other indications based on telemetry data show the targeted intrusion actor's ability to emulate GPRS network access points so as to perform command-and-control communications in conjunction with a Unix-based backdoor called TinyShell, thereby enabling the attacker to tunnel traffic through the telecommunications network.
Among the multiple tools in LightBasin's malware arsenal is a network scanning and packet capture utility called "CordScan" that allows the operators to fingerprint mobile devices, as well as "SIGTRANslator," an ELF binary that can transmit and receive data via the SIGTRAN protocol suite, which is used to carry public switched telephone network (PSTN) signaling over IP networks.
"It is not surprising that servers would need to communicate with one another as part of roaming agreements between telecommunications companies; however, LightBasin's ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required," CrowdStrike noted.
"As such, the key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP," the company added.
The findings also come just as cybersecurity firm Symantec disclosed details of a previously unseen advanced persistent threat (APT) group dubbed "Harvester," which has been linked to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021 using a custom implant called "Graphon."
Update
Some aspects of the aforementioned intrusion activity, specifically the use of SIGTRANslator, CordScan, and PingPong, have now been attributed to a separate China-linked cyber espionage group tracked as Liminal Panda. For more details, please check here.
(The story was updated after publication on November 20, 2024, to reflect the change in threat actor attribution.)