Telecommunications Providers Worldwide Are Targeted in Sophisticated Cyber-Espionage Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Telecommunications Providers Worldwide Are Targeted in Sophisticated Cyber-Espionage Campaign


LightBasin has displayed in-depth knowledge of telecom architectures and protocols in its attacks, security vendor warns.



A sophisticated and likely state-backed threat actor is targeting telecommunications companies worldwide in a campaign that appears designed to collect information of interest to signals intelligence organizations.
What makes the group especially dangerous is its use of custom tools and its in-depth knowledge of telecommunications protocols and architectures to carry out the attacks, CrowdStrike warned in a report describing the threat actors modus operandi in detail.
CrowdStrike is tracking the group as LightBasin and describes the outfit as carrying out targeted attacks against telecom firms since 2016 and possibly before that. The threat actor has compromised at least 13 telecom networks worldwide since 2019 and appears set to breach more organizations, the security vendor said.
[LightBasin] is a pretty advanced actor, says Adam Meyers, vice president of intelligence at CrowdStrike. They have very bespoke tools that are meant to target the global telephony infrastructure and they are very good at what they do.
Meyers says the custom tools that the threat actor is using are designed mainly to collect International Mobile Subscriber Identity (IMSI) data and call metadata information on mobile phone users. The access that the malware tools provide to subscriber data allows the threat actor to collect text messages, call information, and other data that would allow an intelligence outfit, for instance, to monitor and track targeted individuals with great accuracy.
Since LightBasin is compromising the telecoms itself, they dont need to employ mobile spyware tools such as
Pegasus
, which several governments around the world are believed to be doing to conduct surveillance on individuals of interest.
They dont need to employ malware on mobile devices because they are inside the carrier network, Meyers says. Theres a lot of information they can collect that would help them hunt down dissidents and detractors, who are likely to be of interest to a government such as the Chinese regime, he says.
Some of the available telemetry on
LightBasin
that CrowdStrike has collected hints of overlaps with China-based groups. However, the data is not strong enough to definitively attribute the malicious activity to a group from that country. We dont have attribution-level data, Meyers says. There is some smoke, but we havent got to the point where we feel comfortable delineating it as the activity of a nation-state.
In-Depth Knowledge of Telecom Networks
CrowdStrike said its analysis of LightBasins activity shows the threat actor has very good knowledge of telecom architecture and protocols. One indication is the threat actors ability to emulate what are essentially proprietary protocols to facilitate command and control communications. In one recent incident that CrowdStrike analyzed, the threat group gained initial access to a telecom organizations network via external DNS servers, which they used to connect directly with the General Packet Radio Service (GPRS) network of other compromised telecom companies.
Among the multiple tools in LightBasins malware toolkit is a network scanning and packet capture utility called CordScan that allows the threat actor to fingerprint various brands of mobile devices. Another tool it has been observed using is SIGTRANslator, an executable that allows LightBasin actors to transmit data via SIGTRAN, a set of telecom-specific protocols that are used to carry public switched telephone network (PSTN) signaling over IP networks. 
In addition, the threat group has also used open source utilities like Fast Reverse Proxy, Microsocks Proxy and ProxyChains for tasks such as accessing eDNS servers, for moving between internal systems and forcing network traffic through a specific chain of proxy systems, CrowdStrike said.
LightBasins tactic is to install its malware across the Linux and Solaris servers that are commonly present in many telecom networks. The group has focused specifically on systems in the GPRS network such as external DNS systems, service delivery platforms, systems used for SIM/IMEI provisioning, and operations support systems. 
We have seen enough of [LightBasin] since 2019 that we felt at this point they have become a problem that is globalized, Meyers says. The reason CrowdStrike issued the alert on the group this week, he adds, is to give targeted organizations actionable information to detect if the attackers are already present on their network and to protect against them.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Telecommunications Providers Worldwide Are Targeted in Sophisticated Cyber-Espionage Campaign