A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.
The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.
The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.
“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike. “Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”
The hacking group initially compromised one of the telecommunication companies by leveraging external DNS (eDNS) servers which are part of the General Packet Radio Service (GPRS) network.
The eDNS are used in roaming between different mobile operators, threat actors leveraged it to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously deployed implants.
The group was able to target other telecommunications-specific systems in the GPRS network such as Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).
Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak either third-party-focused passwords (i.e. huawei) for the initial compromise.
