Breach, Content, Content

How LightBasin Hacker Group Attacks Telecom Service Providers

The LightBasin (aka UNC1945) hacker group has been targeting the telecommunications sector at a global scale since at least 2016, according to CrowdStrike research.

Among the key takeaways to note:

  • The LightBasin group has "extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata."
  • LightBasin has successfully attacked at least 13 telecommunication companies dating back to at least 2019, CrowdStrike investigations found, though the group's activities started before that date.
  • Perhaps more concerning, the LightBasin group "will continue to target the telecommunications sector," CrowdStrike concluded.

    • LightBasin Attacks: Linux and Solaris Servers Targeted

    The CrowdStrike statements essentially put telecom service providers worldwide on notice. It should also raise red flags among MSSPs and MSPs, many of which have business relationships with telecom companies.

    The LightBasin attacks typically involve implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, CrowdStrike determined.

    In one recent attack, LightBasin leveraging external DNS (eDNS) servers to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants, a CrowdStrike investigation found.

    How to Mitigate LightBasin Attacks

    LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required, CrowdStrike asserted.

    To stop such attacks, telecommunications companies should ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP, CrowdStrike stated.

    The problem? If you're already a LightBasin victim, restricting network traffic will not mitigate the attack. In that case, CrowdStrike recommends an incident response investigation that includes the review of all partner systems alongside all systems managed by the organization itself. (Yes, CrowdStrike itself has an incident response team.)

    Joe Panettieri

    Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.

    Related

    Related Terms

    Attack Vector

    You can skip this ad in 5 seconds

    Cookies

    This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you.

    If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies.