LightBasin hackers: 13 telecom service providers breached in two years

Researchers uncovered the sophisticated espionage campaign that resulted in 13 compromised organizations already

Analysis on hacker group revealed 13 victims Attackers can tunnel traffic through the telecommunications network

The roaming threat to various telecommunications companies got reported. Highly-sophisticated espionage – LightBasin attacks were revealed to be targeting the telecommunications sector, where the espionage campaigns reach to obtain specifically valuable information.[1] Mobile communication infrastructure has information related to subscribers, call details, and other metadata that can be valuable, so the researcher team informs about the possible threat and has already found companies who got affected since 2019.[2] Cybersecurity firm CrowdStrike report:

The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations

Active at least since 2016, the LitghtBasin or UNC1945 hacker group has already compromised 13 of such companies since 2019.[3] These world organizations got affected due to the usage of particular tools and advanced techniques. Hackers are experienced and have the knowledge to penetrate through the defenses of such organizations. The particular analysis does not disclose the names or consequences of specific attacks. If the company thinks they have been a victim of LightBasin, CrowdSrike recommends an in-depth investigation that also includes all partners and their networks.

Recent attacks take advantage of the external DNS servers

Particular incidents got analyzed, so the team reveals that the actors penetrate the targeted systems by using the external DNS servers that allow them to connect to the system directly. Also, in such a way, the connection can be held with other compromised telecom companies and their GPRS networks by using the SSH. Previously established backdoors[4] like PingPong also got used.

Password-spraying attacks[5] can be used to compromise the security of the targeted networks. This is the method that results in the installation of malware, for example, the SLAPSTICK password stealer. From there, other systems in the same network can be exploited. Additional malware in the arsenal in LightBasin hackers:

  • network scanning and capture utility CordScan;
  • Unix-based backdoor TinyShell;
  • Proxychains;
  • SIGTRANslator data transmitter and receiver.

Other findings in the analysis include that the attacker can perform command-and-control communications alongside the backdoor malware. These tactics enable the hacker to tunnel traffic via the telecommunications network.

Leveraging knowledge of telecommunications network architecture

The main recommendation from researchers is to ensure to have the proper rules for firewalls responsible for the GPRS network. This way, it is possible to restrict the network traffic to only those protocols that are expected. Like DNS or GTP.

LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required.

Restricting the network traffic will not help with the already compromised network if the company is already a victim of the LightBasin espionage campaign. There are various protocols related to telecommunications that the group use, so incident response investigation is the best option in such cases. The particular group is not linked with a particular country. However, there are some links to China. This breached data can be valuable to any foreign group, especially in state-sponsored attacks nevertheless.

Unfortunately, such companies are common targets, and espionage campaigns, breaches, hacker group attacks are important issues nowadays that various industries need to think about and take particular measures to avoid. Information-stealing campaigns target the telecommunication industry, government, information technology, defenses, cybersecurity sectors all over the world.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions