How LightBasin Hacker Group Attacks Telecom Service Providers

The LightBasin (aka UNC1945) hacker group has been targeting the telecommunications sector at a global scale since at least 2016, according to CrowdStrike research.

Among the key takeaways to note:

LightBasin Attacks: Linux and Solaris Servers Targeted

The CrowdStrike statements essentially put telecom service providers worldwide on notice. It should also raise red flags among MSSPs and MSPs, many of which have business relationships with telecom companies.

The LightBasin attacks typically involve implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, CrowdStrike determined.

In one recent attack, LightBasin leveraging external DNS (eDNS) servers to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants, a CrowdStrike investigation found.

How to Mitigate LightBasin Attacks

LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required, CrowdStrike asserted.

To stop such attacks, telecommunications companies should ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP, CrowdStrike stated.

The problem? If you're already a LightBasin victim, restricting network traffic will not mitigate the attack. In that case, CrowdStrike recommends an incident response investigation that includes the review of all partner systems alongside all systems managed by the organization itself. (Yes, CrowdStrike itself has an incident response team.)