China-linked LightBasin group accessed calling records from telcos worldwide

China-linked cyberespionage group LightBasin hacked mobile telephone networks around the world and used specialized tools to access calling records.

A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.

The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.

“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike. “Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”

The hacking group initially compromised one of the telecommunication companies by leveraging external DNS (eDNS) servers which are part of the General Packet Radio Service (GPRS) network.

The eDNS are used in roaming between different mobile operators, threat actors leveraged it to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously deployed implants.

The group was able to target other telecommunications-specific systems in the GPRS network such as Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).

Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak either third-party-focused passwords (i.e. huawei) for the initial compromise.

Once compromised the eDNS servers, the attackers deployed a custom backdoor, tracked as SLAPSTICK, that allowed them to access the Solaris Pluggable Authentication Module (PAM). The implant was used by LightBasin to steal passwords to access other systems and deploy additional implants.

Later, the hacking group accessed multiple eDNS servers from compromised telecommunications companies and used another implant tracked as PingPong.

“Later, LightBasin returned to access several eDNS servers from one of the compromised telecommunications companies while deploying an ICMP traffic signalling implant tracked by CrowdStrike as PingPong under the filename /usr/bin/pingg, with persistence established through the modified SysVinit script /etc/rc.d/init.d/sshd through the following additional line:

cd /usr/bin && nohup ./pingg >/dev/null 2>&1 &

“This implant waits for a magic ICMP echo request, which, when sent to the system, established a TCP reverse shell to an IP address and port specified within the magic packet. The /bin/bash process spawned by PingPong masquerades under the process name httpd.”

Experts pointed out that eDNS servers are protected from general external internet access by firewalls, for this reason, attackers send commands to the PingPong implant via ICMP request from another compromised GPRS network infrastructure.

Then the backdoor sets a TCP reverse shell to an IP address and port specified in the “magic packet” it has received.

LightBasin also added iptables rules to the eDNS server to establish SSH access from five compromised companies.

Additionally, the actor used a trojanized version of the iptables utility that removed output containing the first two octets from IP addresses belonging to other hacked companies, making it more difficult for admins to find the modified rules.

Researchers noticed that LightBasin uses a novel technique involving the use of SGSN emulation software for C2 connections involving also the TinyShell open-source backdoor.

“TinyShell is an open-source Unix backdoor used by multiple adversaries; however, LightBasin uniquely combined this implant with the publicly available SGSN emulator sgsnemu² through a bash script. This script constantly ran on the system, but only executed certain steps between 2:15 and 2:45 UTC each day.” continues the analysis.

The report also includes info about additional malware and utilities used by the group along with a set of recommendations and Indicators of Compromise (IoCc).

The report also includes additional malware and utilities used by the group along with a set of recommendations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]