A mysterious criminal gang is targeting telcos’ Linux and Solaris boxes, because it perceives they aren’t being watched by infosec teams that have focussed their efforts on securing Windows.
Security vendor CrowdStrike claims it’s spotted the group and that it “has been consistently targeting the telecommunications sector at a global scale since at least 2016 … to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.” The gang appears to understand telco operations well enough to surf the carrier-to-carrier links that enable mobile roaming, across borders and between carriers, to spread its payloads.
CrowdStrike principal consultant Jamie Harries and senior security researcher Dan Mayer named the group “LightBasin”, but it also goes by the handle “UNC1945”.
Whatever the group is called, the pair write that it “employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed.
“LightBasin’s focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems [compared to measures] that are typically in place on Windows operating systems within an organization,” the pair wrote.
That assessment suggests telecoms companies’ security posture is worse for their operational tech than for their other systems. Which is rather scary.
Whatever OS LightBasin attacks, its efforts are cunning and draw on deep expertise.
Harries and Mayer write that they’ve seen the group attack “by leveraging external DNS (eDNS) servers – which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators – to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants.”
CrowdStrike claims to have found 13 telecoms companies the gang has cracked.
The company’s post suggests LightBasin uses some banal tactics like using default passwords, but that the group also knows telco kit well enough to implant the TinyShell backdoor in Serving GPRS Support Node emulator sgsnemu
and use it to hop across mobile networks in search of servers to compromise.
Some LightBasin code includes strings that use Pinyin – the standard for transliterating Chinese into Roman text. However, CrowdStrike doesn’t think that means the gang is linked to China, and indeed offered no hypotheses about a link to any nation-state.
CrowdStrike’s researchers suggest carriers can keep LightBasin in the dark by ensuring that “firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP”. The firm also recommends that *nix implementations in telco-land need “basic security controls and logging in place (e.g., SSH logging forwarded to a SIEM, endpoint detection and response (EDR) for process execution, file integrity monitoring (FIM) for recording file changes of key configuration files)”.
That your carrier may not already have those in place for Linux and Solaris running core network services may be the scariest thing of all about CrowdStrike’s findings. ®