LightBasin, a known sophisticated adversary, has been attacking the telecom industry in a string of attacks designed to gather valuable information, such as subscriber information and call metadata, from mobile communication infrastructure.
“The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations,” cybersecurity firm CrowdStrike reported in an analysis published on Tuesday.
Known as LightBasin, the group is believed to have compromised over a dozen telecommunication companies since 2019. It utilized various tools and techniques to compromise and infiltrate the firms.
The identities of the entities targeted were not disclosed, and the findings did not link the cluster’s activities to a specific country.
To perform an attack, an intrusion actor got access to external DNS servers to connect to and from compromised GPRS networks through SSH and previously planted backdoors such as PingPong. The initial compromise was achieved by password-spraying attacks to gain unauthorized access to a system and the installation of SLAPSTICK malware to steal passwords.
The exploitation technique used by the targeted actor could allow an attacker to execute commands and control communications over a GPRS network access point.
Among the multiple tools that LightBasin has in its arsenal are “CordScan,” which allows operators to monitor mobile devices, and “SIGTRANslator” to transmit and receive data via the SIGTRAN protocol like public switched telephone network (PSTN) signaling over IP networks.
“It is not surprising that servers would need to communicate with one another as part of roaming agreements between telecommunications companies; however, LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required,” CrowdStrike noted.
“As such, the key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP,” the company added.
The findings also come after security firm Symantec revealed details of a previously unknown advanced persistent threat group that it refers to as Harvester targeting telecommunications, government, and information technology victims in South Asia since June using custom malware “Graphon.”