Telecom Sector Under Siege by LightBasin
Recent investigations into cyber threats have revealed that an advanced adversary known as LightBasin is behind a series of attacks targeting the telecommunications industry. This sophisticated group is primarily focused on extracting highly specific data, such as subscriber information and call metadata, which aligns with the interests of signals intelligence agencies. Research conducted by CrowdStrike, a prominent cybersecurity firm, highlights the growing concerns around the motivations and capabilities of this threat actor.
Active since at least 2016, LightBasin—also referred to as UNC1945—has successfully compromised 13 telecom companies globally since 2019. Utilizing custom-built tools and a profound understanding of telecommunications protocols, the group adeptly navigates through organizational defenses. While the names of the affected entities remain undisclosed, the report does not specify the origin of the attacks, leaving questions about potential state involvement.
A detailed analysis of their tactics reveals that LightBasin has exploited external DNS servers to establish Secure Shell (SSH) connections with other compromised networks, utilizing established backdoors like PingPong for unauthorized access. Initial compromises have typically begun with password-spraying attacks, which set the stage for deploying SLAPSTICK malware that steals credentials and facilitates lateral movement within networks.
Telemetry data suggests that the group can imitate GPRS network access points, thereby creating command-and-control communications using a Unix-based backdoor known as TinyShell. This capability enables the attacker to tunnel traffic seamlessly through telecommunications infrastructure, raising significant concerns about the integrity of these networks.
Among LightBasin’s sophisticated toolkit are various malware components, including a network scanning utility named “CordScan,” which allows attackers to fingerprint mobile devices, and “SIGTRANslator,” an executable that transmits and retrieves data using the SIGTRAN protocol suite, essential for Public Switched Telephone Network (PSTN) signaling over IP networks. The group’s tactics demonstrate a clear understanding of how telecommunications systems operate, particularly the necessity for interconnectivity among different service providers as part of roaming agreements.
CrowdStrike emphasizes the importance of implementing stringent firewall rules that restrict GPRS network traffic to only necessary protocols, such as DNS and GTP. This is critical to limiting the potential for unauthorized access. Amid these developments, cybersecurity firm Symantec has identified a new advanced persistent threat (APT) group dubbed “Harvester,” linked to information-stealing campaigns targeting the telecommunications, government, and IT sectors in South Asia since mid-2021.
The tactics and tools employed by LightBasin, notably SIGTRANslator and CordScan, have since been attributed to a different cyber espionage group associated with China, known as Liminal Panda. These developments underscore the evolving nature of cyber threats and the importance of remaining vigilant in the face of potential attacks.
With cybersecurity becoming increasingly paramount for telecommunications companies, business owners must remain aware of these threats. The MITRE ATT&CK framework indicates tactics that may have been employed, ranging from initial access and persistence to privilege escalation. Understanding these methods can help organizations bolster defenses against such sophisticated adversaries. As the cybersecurity landscape continues to evolve, staying informed and proactive is essential.
