LightBasin continues to target the telecommunication Sector
LightBasin, also known as UNC1945, is an Advanced Persistent Threat (APT) that has been targeting the telecommunication networks at a global level since 2016.
This threat utilizes custom tools and in-depth knowledge of telecommunications network architectures.
This cluster's extensive knowledge of telecommunications protocols can let it easily get access to information such as subscriber information and call metadata.
Read on for more insight
Table of Contents:
- Analysis by Crowdstrike
- GPRS eDNS Servers
- GPRS Support Node(SGSN) Emulation
- Other Utilities
- Similar attacks in the past
Crowd strike states about the report made by Adam Meyers, vice president of Intelligence at CrowdStrike that:
This assessment is made with high confidence and is based on techniques, tactics and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. We don't have attribution-level data,we suspect some, but we haven't got to the point where we feel comfortable delineating it as the activity of a nation-state.
Let's take a look at what VP Intelligence says:
- LightBasin managed to compromise one of the telecommunication company's external DNS (eDNS), part of the General Packet Radio Service (GPRS) network, and roam between different mobile operators via SSH and previously established implants.
They have tools specifically tailored for targeting the global telephony infrastructure, and they are very good at what they do. LightBasin is a pretty advanced actor. They don't even need to employ malware on mobile devices because they are inside the carrier network.
- Meyers says the custom tools that are used by threat actors are mainly designed to gather call metadata and International Mobile Subscriber Identity (IMSI) data information on mobile phone users.
- The malware tools provide access to subscriber data that allows the threat actor to collect call information, text messages, and other data that would help in intelligence, for example, to monitor and track targeted individuals with high accuracy.
Since LightBasin is compromising itself, it doesn't need to employ mobile spyware tools such as Pegasus, which is used by some of the government-led organizations in the world for spying on individuals.
- Little available telemetry on LightBasin that CrowdStrike has gathered has hints of overlapping with China-based groups.
There's a lot of information that could be collected and later used to hunt down detractors and dissidents, who are likely to be of interest to a government such as the Chinese regime.
- Unfortunately, the collected data is not enough to attribute the malicious activity to a group from that country.
Currently the available evidence is insufficient to link the cluster's activity to a specific country-nexus.
LightBasin accessed the first DNS server via SSh and uncovered weak and strong password spraying attempts. LightBasin siphoned credentials to an obfuscated text file using their SLAPSTICK PAM backdoor.
Later, LightBasin returned access to several eDNS while deploying an ICMP traffic signaling implant named PingPong.
This implant waits for the request, which after being sent to the system, establishes a reverse TCP shell to a specified port and IP address inside the magic packet. These implants helped the actor to disguise their activity as legal traffic.
LightBasin utilizes a new technique which employs SGSN emulation software to support C2 activities in concert with TinyShell.
The adversary can tunnel traffic via this telecommunications network, due to Emulation software.
It runs different scripts repeatedly for the establishment of a tunnel to every specified mobile station, which, in turn, act as tunnels to the TinyShell C2 server, running for only 30 minutes each day.
Cord scan as a Network scanning and packet capture utility contains built-in logic to retrieve fingerprints and other additional data from telecommunication protocols dealing with SGSNs.
Multiple versions of this utility are identified by CrowdStrike, such as a cross-compiled version for systems running on ARM architecture, Huawei's commercial CentOS-based operating system EulerOS.
SIGTRANSlator transmits data via telecommunication-specific protocols.
SIGTRANslator sends and receives data via various SIGTRAN protocols, which are used to carry public switched telephone network (PSTN) signaling over IP networks.
Crucial metadata such as telephone numbers from a specific mobile station are retrieved.
Fast Reverse Proxy is an Open-source utility to permit general access to eDNS server.
The lightweight SOCKS5 proxy server acts as a pivot to systems internally.
Chains proxies together and forces network traffic through said the chain of proxies. It does not matter whether the program generating the traffic supports proxy.
It uses a configuration file to specify proxies in use. The recovered configuration file contains a mixture of local IP addresses,
OPSEC-aware, LightBasin's binary packer.
This isn't the first incident in which calls were made by hackers to mobile career networks.
In 2019, Cybereason first reported that a nation-state-backed hacking operation originating from China had broken into 13 different telecommunication enterprises.
However, the firm again did not reveal the names of hacked companies.
Someone was actively accessing the network, moving from computer to computer siphoning and stealing credentials out. In short, hundreds of gigabytes of data.
Says Amit Serper, a principal security researcher at Cybereason.
The firm said that the hackers targeted companies in Asia, Europe, the Middle- East, and some parts of Africa and gained access to vital information regarding call data records and the geolocation of users.
Another attack that took place in the US was studied by The US Department of Justice (DoJ), which offered a detailed look at hacking into the IT company AT&T.
It was reported by the agency that AT&T call center employees took bribes to unlock millions of smartphones and injected malware into their phones, and provided unauthorized access.
One of the leading hackers involved in this seven-year scheme, was Muhammad Fahd, who was later sentenced to 12 years in prison.
On August 17, 2021, T-Mobile learned that a bad actor gained illegal access and acquired some personal data. The evidence indicates that getting first unauthorized access into T-mobile systems was on March 18, 2021.
It is also said that a subset of T-Mobile data had been accessed by unauthorized individuals, and the data stolen from their systems did include some personal information.
The exact personal information affected varies from individual to individual.
The types of affected information included:
- Drivers' licenses
- Government identification numbers
- Social Security numbers
- Dates of birth
- T-Mobile prepaid PINs
- Physical address
- Phone number(s)
Social Security numbers and government identification numbers are collected in connection with prospective and current customers' applications for services and eligibility determinations.
T-mobile has been working to address this event and taking immediate steps to protect all individuals who may be at risk.
On October 13, Verizon's Visible– confirmed that they lost control of their accounts, had their passwords and shipping addresses changed, and some got stuck with bills for new, hefty iPhones.
Verizon Visible had some issues in which some member accounts were accessed and/or changed without their authorization.
They responded quickly by deploying tools to mitigate the issue and enable additional controls to further protect their customers.
Detailed investigation revealed that threat actors were able to access username/passwords from outside sources and exploit that credentials to log into visible accounts of members.
Security professionals often warn about security loopholes in telecom technologies ranging from Signaling System 7 (SS7) in 4G to IMSI catchers in 5G.
- Firewalls restricted to expected protocols
- Incident Responsive investigation
- Updated threat intelligence resources
Telecommunications companies should restrict network traffic to only those protocols that are expected, such as DNS or GTP.
Restricting network traffic only will not solve the problem as LightBasin can utilize common telecommunications protocols for command and control.
CrowdStrike recommends that it includes the review of all partner systems alongside all systems managed by the organization itself.
Companies within telecommunications are most likely to be exposed to advanced state-sponsored adversaries constantly.
These organizations should access to up-to-date and comprehensive threat intelligence resources so they can understand the threats facing the industry.
Securing a telecom organization is not a simple task; however, it is of utmost importance to stop those adversary abuses and improve the security systems of telecoms to avoid a future data breach.
It should be the priority of telecoms to provide maximum data security to its members.