LightBasin hacking group targeting telecoms for at least five years

Published 10/27/21, 9:00am

A sophisticated group of cybercriminals known as LightBasin (or UNC1945), possessing connections to China-based groups, is behind at least five years’ worth of attacks on global mobile telecommunications companies, including several that are U.S. based. The group targets Linux and Solaris servers primarily, with some engagement with Windows systems.

The industry researchers that discovered the threat indicate that the LightBasin gang has broad knowledge of the telecommunications industry and extensive understanding of standard telecom network architectures and protocols. Using this information, the criminals can emulate protocols to facilitate command and control (C2) operations and develop unique customs tools to steal critical information, like metadata and International Mobile Subscriber Identity (IMSI) data. The criminals then use the data to monitor and track targeted individuals.

Researchers state that the gang has established persistence directly within the carrier networks, negating any need for malware to be installed on actual mobile devices. 

LightBasin gang members often use brute-forcing techniques to enter targeted systems, followed by the installation and execution of custom malware (dubbed SLAPSTICK), which is a backdoor for the Solaris Pluggable Authentication Module (PAM), granting system access based on a hardcoded password. The threat actors use this access to establish persistence and move within the system.

Additional malicious tools used by LightBasin include a network scanning and packet capture utility called “CordScan” that gives the threat actor the ability to fingerprint specific mobile devices. Another type of malware used is called “SIGTRANslator,” which enables the criminals to transmit information through a set of telecom protocols used for “public switched telephone network” (PSTN) signaling over IP networks.

Next Steps

Industry researchers recommend that all telecoms confirm that the firewalls responsible for General Packet Radio Service (GPRS) are configured to restrict network traffic to only the expected protocols, such as DNS or GTP. If a telecom believes that it may already be a victim of LightBasin, the organization is strongly encouraged to work with an incident response and investigation provider.