A sophisticated hacking operation has spent the last five years covertly monitoring telecommunications networks around the world.
According to new report from CrowdStrike, an advanced persistent threat (APT) group known as "LightBasin" or UNC1945 abused some of the unique protocols that telcos use to communicate with each other in order to disguise its data-stealing activity. In a blog post Tuesday, the threat detection vendor said it detected LightBasin activity in a recent CrowdStrike Services investigation where threat actors had compromised external DNS servers of a telco to covertly connect to other compromised telcos through their General Packet Radio Service (GPRS) networks.
With operations dating back to 2016, CrowdStrike believes LightBasin has been able to infiltrate the company networks of at least 13 different telecommunications operators in order to conduct signal intelligence monitoring. CrowdStrike said that while the exact location and backing of the group is not known, the behavior and language patterns point to a Chinese state-sponsored operation.
One thing that sets the LightBasin group apart, CrowdStrike said, is that it appears to be exclusively focused on the technology and protocols used by telco operators.
The hackers largely eschew attacks on Windows machines and instead target servers and appliances that run on Linux and Solaris, as those two operating systems are favored by many of the servers and network hardware types the industry employs. Mandiant last year observed the threat group, identified as UNC1945, infiltrating Solaris and Linux systems inside telco networks and evading detection through customized virtual machines and SSH tunnels.
Additionally, much of the attack and monitoring tools the group employees appear to be specialized pieces of software purpose-built for LightBasin, rather than off-the-shelf tools designed for more general operations.
"This group is somewhat specialized for this type of activity," Adam Meyers, CrowdStrike's senior vice president of intelligence, told SearchSecurity.
"We do not see a lot of overlap. They use proprietary tools or some publicly available tools, but the operating specialty of this group is within telcos."
Part of that specialty, according to CrowdStrike, is taking advantage of some lesser-known networking protocols in order to hide its operations.
Once their malware is established on a system, the LightBasin hackers prefer to conceal their traffic within GPRS connections via SSH. By emulating the servers that would handle GPRS, a protocol telcos use to connect the networks of different companies and carriers in order to send data, the attackers are able to conceal their tracks.
This, in turn, allows them to send and receive data between infected systems and command and control servers without ever tipping off the victim's firewall or other security monitoring tools.
Meyers said that while not technically complex, the practice of concealing traffic as a common inter-network protocol was a clever way to help the group operate for extended amounts of time without detection.
"I don't know that it is hard to detect," Meyers explained. "It is just a matter of companies having not really thought to look there for threat actor activity."
Fortunately, administrators can take some basic steps to stop attacks. In particular, CrowdStrike recommended that firewalls handling GPRS traffic be configured to limit access to DNS or GPRS Tunneling Protocol traffic in order to filter out possible malware and remote-controlled payloads.
Enterprises often use signal boosters and distributed antenna systems to improve carrier signal strength. Neutral host networks ...
It's helpful for network admins to know how to convert binary to decimal, and vice versa, for IPv4 addressing, subnet masks, ...
For businesses, mounting ownership costs, unrealistic performance expectations, client device chaos and competing technologies ...
Privacy and antitrust laws work together, and if Congress wants to regulate the tech giants, it has to figure out how these laws ...
No one can relax in digital business: Those trailing behind must conquer the basics to get on the innovation path, while ...
The metaverse poses many of the same risks and security pitfalls that the internet does. Here's a look at 10 of those issues and ...
When organizations consider upgrading to Windows 11, they need to compare the Windows 11 system requirements to their existing ...
Hybrid work puts corporate data at risk as employees use various devices to access company resources. Microsoft has worked to ...
Windows upgrades have caused numerous issues in the past, and the move to Windows 11 is no exception. Learn what problems IT can ...
Research suggests that cloud-native application deployment is becoming more prevalent as organizations continue to embrace public...
Tech buyers are interested in the breadth and depth of services sold through the HPE GreenLake service, but want proof of cost ...
PowerShell has practical integrations that provide users with cross-platform capabilities. Get to know prerequisites and ...
WikiLeaks founder Julian Assange is expected to raise concerns over the political nature of his prosecution, the likelihood of ...
Leading Australian operator forges partnership with leading comms tech providers to make enhancements to next-generation optical ...
Government announces up to 3,000 primary schools across rural England will get gigabit broadband as part of £82m investment ...
All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info