LightBasin Operation Compromises 13 Global Telcos in Two Years
Researchers have uncovered a “highly sophisticated” two-year espionage campaign against global telcos that has already compromised 13 organizations.
Dubbed “LightBasin” by CrowdStrike, the group UNC1945 was actually uncovered by Mandiant in November last year. At that time, its targets were MSPs and their customers in finance and consulting.
According to CrowdStrike, LightBasin has been active since at least 2016, but the current campaign dates back to 2019.
It revealed that the group used custom tools and “in-depth knowledge” of telecoms networks to compromise its targets.
“Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata,” it claimed.
Operating with a high level of OPSEC, the group established implants on the Linux and Solaris servers popular in the telecoms sector.
At least one provider was compromised via their GPRS-supporting external DNS (eDNS) servers. The group accessed the organization via SSH from another compromised target, using password spraying techniques for initial compromise.
LightBasin then deployed its own Slapstick