A sophisticated and likely state-backed threat actor is targeting telecommunications companies worldwide in a campaign that appears designed to collect information of interest to signals intelligence organizations.
What makes the group especially dangerous is its use of custom tools and its in-depth knowledge of telecommunications protocols and architectures to carry out the attacks, CrowdStrike warned in a report describing the threat actors' modus operandi in detail.
CrowdStrike is tracking the group as "LightBasin" and describes the outfit as carrying out targeted attacks against telecom firms since 2016 and possibly before that. The threat actor has compromised at least 13 telecom networks worldwide since 2019 and appears set to breach more organizations, the security vendor said.
"[LightBasin] is a pretty advanced actor," says Adam Meyers, vice president of intelligence at CrowdStrike. "They have very bespoke tools that are meant to target the global telephony infrastructure and they are very good at what they do."
Meyers says the custom tools that the threat actor is using are designed mainly to collect International Mobile Subscriber Identity (IMSI) data and call metadata information on mobile phone users. The access that the malware tools provide to subscriber data allows the threat actor to collect text messages, call information, and other data that would allow an intelligence outfit, for instance, to monitor and track targeted individuals with great accuracy.
Since LightBasin is compromising the telecoms itself, they don't need to employ mobile spyware tools such as Pegasus, which several governments around the world are believed to be doing to conduct surveillance on individuals of interest.
"They don't need to employ malware on mobile devices because they are inside the carrier network," Meyers says. "There's a lot of information they can collect that would help them hunt down dissidents and detractors," who are likely to be of interest to a government such as the Chinese regime, he says.
Some of the available telemetry on LightBasin that CrowdStrike has collected hints of overlaps with China-based groups. However, the data is not strong enough to definitively attribute the malicious activity to a group from that country. "We don't have attribution-level data," Meyers says. "There is some smoke, but we haven't got to the point where we feel comfortable delineating it as the activity of a nation-state."
In-Depth Knowledge of Telecom Networks
CrowdStrike said its analysis of LightBasin's activity shows the threat actor has very good knowledge of telecom architecture and protocols. One indication is the threat actor's ability to emulate what are essentially proprietary protocols to facilitate command and control communications. In one recent incident that CrowdStrike analyzed, the threat group gained initial access to a telecom organization's network via external DNS servers, which they used to connect directly with the General Packet Radio Service (GPRS) network of other compromised telecom companies.
Among the multiple tools in LightBasin's malware toolkit is a network scanning and packet capture utility called "CordScan" that allows the threat actor to fingerprint various brands of mobile devices. Another tool it has been observed using is "SIGTRANslator," an executable that allows LightBasin actors to transmit data via SIGTRAN, a set of telecom-specific protocols that are used to carry public switched telephone network (PSTN) signaling over IP networks.
In addition, the threat group has also used open source utilities like Fast Reverse Proxy, Microsocks Proxy and ProxyChains for tasks such as accessing eDNS servers, for moving between internal systems and forcing network traffic through a specific chain of proxy systems, CrowdStrike said.
LightBasin's tactic is to install its malware across the Linux and Solaris servers that are commonly present in many telecom networks. The group has focused specifically on systems in the GPRS network such as external DNS systems, service delivery platforms, systems used for SIM/IMEI provisioning, and operations support systems.
"We have seen enough of [LightBasin] since 2019 that we felt at this point they have become a problem that is globalized," Meyers says. The reason CrowdStrike issued the alert on the group this week, he adds, is to give targeted organizations actionable information to detect if the attackers are already present on their network and to protect against them.