'LightBasin' hackers spent 5 years hiding on telco networks

A sophisticated hacking operation has spent the last five years covertly monitoring telecommunications networks around the world. 

According to new report from CrowdStrike, an advanced persistent threat (APT) group known as "LightBasin" or UNC1945 abused some of the unique protocols that telcos use to communicate with each other in order to disguise its data-stealing activity. In a blog post Tuesday, the threat detection vendor said it detected LightBasin activity in a recent CrowdStrike Services investigation where threat actors had compromised external DNS servers of a telco to covertly connect to other compromised telcos through their General Packet Radio Service (GPRS) networks.

With operations dating back to 2016, CrowdStrike believes LightBasin has been able to infiltrate the company networks of at least 13 different telecommunications operators in order to conduct signal intelligence monitoring. CrowdStrike said that while the exact location and backing of the group is not known, the behavior and language patterns point to a Chinese state-sponsored operation.

One thing that sets the LightBasin group apart, CrowdStrike said, is that it appears to be exclusively focused on the technology and protocols used by telco operators.

The hackers largely eschew attacks on Windows machines and instead target servers and appliances that run on Linux and Solaris, as those two operating systems are favored by many of the servers and network hardware types the industry employs. Mandiant last year observed the threat group, identified as UNC1945, infiltrating Solaris and Linux systems inside telco networks and evading detection through customized virtual machines and SSH tunnels.

Additionally, much of the attack and monitoring tools the group employees appear to be specialized pieces of software purpose-built for LightBasin, rather than off-the-shelf tools designed for more general operations.

"This group is somewhat specialized for this type of activity," Adam Meyers, CrowdStrike's senior vice president of intelligence, told SearchSecurity.

"We do not see a lot of overlap. They use proprietary tools or some publicly available tools, but the operating specialty of this group is within telcos."

Part of that specialty, according to CrowdStrike, is taking advantage of some lesser-known networking protocols in order to hide its operations.

Once their malware is established on a system, the LightBasin hackers prefer to conceal their traffic within GPRS connections via SSH. By emulating the servers that would handle GPRS, a protocol telcos use to connect the networks of different companies and carriers in order to send data, the attackers are able to conceal their tracks.

This, in turn, allows them to send and receive data between infected systems and command and control servers without ever tipping off the victim's firewall or other security monitoring tools.

Meyers said that while not technically complex, the practice of concealing traffic as a common inter-network protocol was a clever way to help the group operate for extended amounts of time without detection.

"I don't know that it is hard to detect," Meyers explained. "It is just a matter of companies having not really thought to look there for threat actor activity."

Fortunately, administrators can take some basic steps to stop attacks. In particular, CrowdStrike recommended that firewalls handling GPRS traffic be configured to limit access to DNS or GPRS Tunneling Protocol traffic in order to filter out possible malware and remote-controlled payloads.