How an undetected hack group tapped telecom data for 5 years straight

How an undetected hack group tapped telecom data for 5 years straight

According to research by CrowdStrike, the LightBasin hacking group has been trying to directly tap various telecom data from telecom operators worldwide. Attacks took place as early as 2016, continuing to this day.

Targeted data mainly concerns call data, text messages and relevant metadata. The researchers found that, at least since 2019, the hackers managed to hack into the networks of 13 different telecom operators. Which operators were victimized is unknown at the time of writing.

According to CrowdStrike, the hackers may have ties to China, substantiated by the fact that identified hacking methods require knowledge of the Chinese language. Despite this, CrowdStrike explicitly states that it does not suspect the Chinese government to be behind LightBasin.

Thorough knowledge of telecom networks

The researches note that the highly advanced hacking methods performed on telecom networks illustrate a thorough knowledge of cybersecurity and telecom networks. LightBase was found to be camouflaging their attacks through so-called OPSEC countermeasures. Linux- and Solaris-based servers appear to be persistent targets. Windows systems were only attacked when necessary.

Attacked Linux and Solaris servers were often essential for infiltrating key parts of telecom infrastructure. Moreover, these types of servers often have less monitoring functionality than their Windows counterparts.

Methods

The research shows that LightBasin managed to get into one of the hacked telecom operators via external Domain Name Servers (eDNS). These eDNS servers, part of the General Packet Radio Service (GPRS) radio network, play a vital role in roaming traffic between different mobile operators. LightBasin managed to connect with other cracked GPRS networks through a combination of SSH, ‘TinyShell’ implants and the infiltration of eDNS servers. 

Furthermore, publicly available Serving GPRS Support Node (SGSN) emulators proved to be a vital tool. Other malware applications used include CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy and ProxyChains. Additionally, the hackers provisioned self-developed tools such as STEELCORGI and SLAPSTICK.

Measures

CrowdStrike expects hacking attacks like LightBasin’s to become increasingly common. The researchers advise telecom operators to see to firewall configurations that bar any unnecessary traffic from the network, as opposed to allowing most traffic, which remains an excessively prevalent standard today.

Tip: What are the current cybersecurity threats? An overview.