How LightBasin Hacker Group Attacks Telecom Service Providers
The LightBasin (aka UNC1945) hacker group has been targeting the telecommunications sector at a global scale since at least 2016, according to CrowdStrike research.
Among the key takeaways to note:
- The LightBasin group has “extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”
- LightBasin has successfully attacked at least 13 telecommunication companies dating back to at least 2019, CrowdStrike investigations found, though the group’s activities started before that date.
- Perhaps more concerning, the LightBasin group “will continue to target the telecommunications sector,” CrowdStrike concluded.
LightBasin Attacks: Linux and Solaris Servers Targeted
The CrowdStrike statements essentially put telecom service providers worldwide on notice. It should also raise red flags among MSSPs and MSPs, many of which have business relationships with telecom companies.
The LightBasin attacks typically involve implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, CrowdStrike determined.
In one recent attack, LightBasin leveraging external DNS (eDNS) servers to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants, a CrowdStrike investigation found.
How to Mitigate LightBasin Attacks
LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required, CrowdStrike asserted.
To stop such attacks, telecommunications companies should ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP, CrowdStrike stated.
The problem? If you’re already a LightBasin victim, restricting network traffic will not mitigate the attack. In that case, CrowdStrike recommends an incident response investigation that includes the review of all partner systems alongside all systems managed by the organization itself. (Yes, CrowdStrike itself has an incident response team.)