LightBasin Operation Compromises 13 Global Telcos in Two Years

Researchers have uncovered a “highly sophisticated” two-year espionage campaign against global telcos that has already compromised 13 organizations.

Dubbed “LightBasin” by CrowdStrike, the group UNC1945 was actually uncovered by Mandiant in November last year. At that time, its targets were MSPs and their customers in finance and consulting.

According to CrowdStrike, LightBasin has been active since at least 2016, but the current campaign dates back to 2019.

It revealed that the group used custom tools and “in-depth knowledge” of telecoms networks to compromise its targets.

“Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata,” it claimed.

Operating with a high level of OPSEC, the group established implants on the Linux and Solaris servers popular in the telecoms sector.

At least one provider was compromised via their GPRS-supporting external DNS (eDNS) servers. The group accessed the organization via SSH from another compromised target, using password spraying techniques for initial compromise.

LightBasin then deployed its own Slapstick PAM backdoor for further access, password theft and persistence. The group used a separate custom tool in another part of the operation, an implant dubbed “PingPong.” This spawned reverse shells and communicated via TCP port 53 with compromised servers in other victim organizations — in an attempt to disguise its activity.

“The key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP,” the report urged.

If telcos believe they have already been compromised, CrowdStrike recommended a full incident response investigation that extends to all partner systems.

The report described the group not as a nation-state entity but as a “targeted intrusion actor.” However, there are some links to China, and the data it has been stealing would apparently be helpful to signal intelligence.

“Notably, data that is sent to and from the remote C2 is encrypted with the hard-coded XOR key wuxianpinggu507. This Pinyin translates to ‘unlimited evaluation 507’ or ‘wireless evaluation 507’,” it noted.

“The identification of a Pinyin artifact indicates the developer of this tool has some knowledge of the Chinese language; however, CrowdStrike Intelligence does not assert a nexus between LightBasin and China.”

What’s Hot on Infosecurity Magazine?