Science & Technology

Communications providers around the world are targeted by advanced cyber espionage campaigns

Sophisticated, perhaps state-sponsored, threat actors are targeting telecommunications companies around the world with campaigns that appear to be designed to gather information of interest to signal intelligence organizations.

What makes this group particularly dangerous is the use of custom tools and in-depth knowledge of communication protocols and architectures for carrying out attacks. CrowdStrike warned in a report detailing threat actor tactics.

CrowdStrike is tracking this group as “Light Basin” and describes it as conducting targeted attacks against carriers since 2016 and, in some cases, before. According to security vendors, attackers have compromised at least 13 telecom networks worldwide since 2019 and could compromise even more organizations.

“”[LightBasin] Adam Meyers, Vice President of Intelligence at CrowdStrike, is a highly advanced actor.

According to Myers, the custom tools used by attackers are primarily designed to collect International Mobile Subscriber Identity (IMSI) data and recall metadata information for mobile phone users. The access provided by malware tools to subscriber data allows attackers to collect text messages, call information, and other data. This allows intelligence agencies, for example, to monitor and track targeted individuals with great accuracy.

LightBasin puts the communication itself at risk, so you don’t need to use mobile spyware tools such as: PegasusIt is believed that several governments around the world are doing so to carry out surveillance of individuals of interest.

“Mobile devices are in the carrier network, so you don’t have to use malware,” says Myers. “There is a lot of information they can collect and it will help hunt down dissidents and slanderers,” he says.

Some of the available telemetry
LightBasin
CrowdStrike has collected tips for duplication with China-based groups. However, the data is not powerful enough to explicitly attribute malicious activity to a group in that country. “There is no attribution level data,” says Myers. “There is some smoke, but I can’t hesitate to portray it as a nation-state activity.”

Deep knowledge of telecom networks
According to CrowdStrike, an analysis of LightBasin’s activity revealed that the attackers had very good knowledge of communication architectures and protocols. One symptom is the ability of threat actors to emulate what is essentially a proprietary protocol to facilitate command and control communication. In one recent incident analyzed by CrowdStrike, threat groups first accessed the telecommunications organization’s network through an external DNS server. An external DNS server was used to connect directly to the General Packet Radio Service (GPRS) network of other compromised carriers.

Among the tools included in LightBasin’s malware toolkit is a network scan and packet capture utility called “Cord Scan”. This allows attackers to fingerprint mobile devices of various brands. Another tool that has been confirmed to be used is data via SIGTRAN, a set of telecom-specific protocols used by LightBasin actors to transmit public switched telephone network (PSTN) signaling over IP networks. An executable file “SIGTRANslator” that allows you to send.

In addition, threat groups also use open source utilities such as Fast Reverse Proxy, Microsocks Proxy, and Proxy Chains for tasks such as accessing eDNS servers, moving between internal systems, and enforcing network traffic through specific proxy system chains. CrowdStrike says it does.

LightBasin’s tactic is to install malware on Linux and Solaris servers that are commonly found on many communication networks. This group focuses specifically on systems within the GPRS network, such as external DNS systems, service delivery platforms, systems used for SIM / IMEI provisioning, and operational support systems.

“We have seen enough [LightBasin] I felt it was a global issue at this point since 2019, “says Myers. To be present in their network and to protect them.

Communications providers around the world are targeted by advanced cyber espionage campaigns

https://www.darkreading.com/attacks-breaches/sophisticated-threat-group-targeting-telecoms-worldwide-in-spying-campaign Communications providers around the world are targeted by advanced cyber espionage campaigns

Back to top button