These stealthy hackers avoid Windows but target Linux as they look to steal phone data

Dubbed LightBasin, the stealthy attack group appears to be an intelligence gathering operation, warn researchers.
Written by Danny Palmer, Senior Writer

A stealthy hacking group is infiltrating telecommunications companies around the world in a campaign that researchers have linked to intelligence gathering and cyber espionage. 

The campaign, which has been active since at least 2016, has been detailed by cybersecurity researchers at CrowdStrike, who've attributed the activity to a group they call LightBasin – also known as UNC1945.  

It's believed that, since 2019, the offensive hacking group has compromised at least 13 telecommunication companies with the aim of stealing information about mobile communications infrastructure, including subscriber information and call metadata – and in some cases, direct information about what data smartphone users are sending and receiving via their devices. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

"The nature of the data targeted by the LightBasin aligns with information likely to be of significant interest to signals intelligence organisations. Their key motives are likely a combination of surveillance, intelligence, and counterintelligence collection," Adam Meyers, SVP of Intelligence at CrowdStrike, told ZDNet. 

"There is significant intelligence value to any state-sponsored adversary that's likely contained within telecommunications companies," he added. 

The exact origins of LightBasin aren't disclosed, but researchers suggest that the author of tools used in attacks has knowledge of the Chinese language – although they don't go as far as to suggest a direct link with China or any other Chinese-speaking countries. 

The attackers employ extensive operational security measures in an effort to avoid detection and will only compromise Windows systems on target networks if absolutely necessary. LightBasin's primary focus is on Linux and Solaris servers that are critical for running telecommunications infrastructure – and are likely to have less security measures in place than Windows systems. 

Initial access to networks is gained via external DNS (eDNS) servers, which are part of the General Packet Radio Service (GPRS) network that connects different phone operators. Researchers discovered that LightBasin accessed one victim from a previously compromised victim. It's likely that initial access to original victims is gained by exploiting weak passwords via the use of brute force attacks

Once inside the network and calling back to a command and control server run by the attackers, LightBasin is able to drop TinyShell, an open-source Unix backdoor used by many cyber-criminal groups. By combining this technique with emulation software, the attacker is able to tunnel traffic from the telecommunications network. 

Other tools deployed in campaigns include CordScan, a network scanner that enables the retrieval of data when dealing with communications protocols.  

LightBasin has the ability to do this work with many different telecommunications architectures, indicating what researchers describe as "robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments" and something "consistent with a signals intelligence organization" – or in other words, an espionage campaign. 

However, despite their best efforts to remain hidden, there are some elements of the campaigns that means they can be discovered and identified, such as not encrypting binaries while using SteelCorgi, a known ATP espionage tool. There's also evidence of the same tools and techniques being used in the networks of compromised telecommunications providers, pointing towards a singular entity being behind the whole campaign. 

SEE: This new ransomware encrypts your data and makes some nasty threats, too

It's believed that LightBasin is still actively targeting telecommunications providers around the world. 

"Given LightBasin's usage of bespoke tools and in-depth knowledge of telecommunications network architectures, we've seen enough to realize the threat LightBasin poses is not localized and could affect organizations outside of the ones we work with," said Meyers. 

"The potential payoff to these threat actors in terms of intelligence gathering and surveillance is just too big for them to walk away from," he added. 

To protect networks from this and other cyberattacks, it's recommended that telecommunications companies ensure that the firewalls responsible for GPRS networks have rules applied that mean they can only be accessed via expected protocols.

"Securing a telecommunications organization is by no means a simple task, especially with the partner-heavy nature of such networks and the focus on high-availability systems; however, with the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance," the CrowdStrike blog post said. 


Editorial standards