A hacker group, dubbed ‘LightBasin’ by CrowdStrike security researchers has been infiltrating telecom companies across the world for the last five years with the goal of gathering information from mobile communication infrastructure, such as subscriber information and call metadata.
“Active since at least 2016, LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed,” CrowdStrike said in a technical report.
Since 2019, LightBasin (aka UNC1945) has breached at least 13 telecommunication companies throughout the world using custom tools and their “in-depth knowledge of telecommunications network architectures.”
An investigation into a recent incident involving one of the telecommunication companies revealed that threat actor took advantage of external DNS (eDNS) servers to connect directly to and from other compromised telecom companies' GPRS networks via SSH and through previously established implants.
The initial compromise involved the use of password-spraying techniques with subsequent deployment of the custom SLAPSTICK PAM backdoor on the system to siphon credentials to an obfuscated text file. The attackers then installed SLAPSTICK malware to steal passwords and pivot to other systems in the network.
“Later, LightBasin returned to access several eDNS servers from one of the compromised telecommunications companies while deploying an ICMP traffic signalling implant tracked by CrowdStrike as PingPong,” the researchers said.
PingPong waits for a magic ICMP echo request, which, when sent to the system, established a TCP reverse shell to an IP address and port specified within the magic packet.
The LightBasin group has also been observed using a novel technique, which uses SGSN emulation software to support C2 activities in concert with TinyShell, an open-source Unix backdoor used by multiple threat actors. The attackers combined TinyShell with the publicly available SGSN emulator sgsnemu, which allowed them to tunnel TinyShell C2 traffic between the C2 server and the infected host via GTP through specific mobile stations.
Other malware used by the group include the network scanning and packet capture utility CordScan, SIGTRANslator (a Linux ELF binary capable of sending and receiving data via various SIGTRAN protocols), and the Fast Reverse Proxy, Microsocks Proxy, and ProxyChains utilities.
“Given that companies within the telecommunications vertical are extensively targeted by highly advanced state-sponsored adversaries on a constant basis, these organizations need to have access to up-to-date and comprehensive threat intelligence resources so they can understand the threats facing the industry. This intelligence should also provide insights into the TTPs of adversaries that telecommunications companies are likely to encounter, across both the corporate network and critical telecommunications infrastructure, so that these insights can then be used to further augment detection mechanisms and inform on decisions regarding existing security controls,” CrowdStrike said.