A worker rebuilds a cellular tower with 5G equipment for the Verizon network on Nov. 26, 2019 in Orem, Utah. Researchers at CrowdStrike identified a new hacking cluster, called LightBasin, with a nexus to China that has been targeting telecommunications firms since 2019. (Photo by George Frey/Getty Images)

Researchers at CrowdStrike have formally identified a new cluster of espionage-minded hacking activity, one that is squarely directed at global telecommunications companies, relies on advanced operational security techniques and can access sensitive mobile data without planting malware or infecting devices.

The cluster, called LightBasin, has been operating since at least 2016, but recently CrowdStrike researchers decided they had enough unique information about the activity and tools involved to give them a formal identifier. Very little is known about who is behind the activity or their ties; CrowdStrike would only say the activity has a “nexus” to China but explicitly did not attribute it to the Chinese government.

At least 13 telecommunications firms have been hit by the cluster since 2019, though the company declined to identify any of the victims, citing customer confidentiality. The information sought by the attackers — which includes IMSI identifiers, text messages and call metadata — line up with the kind usually coveted by foreign governments and signals intelligence agencies. Part of the reason CrowdStrike is naming and elevating LightBasin is to help spread the word and the technical detection details to the broader telecommunications industry.

“We got to a point where we’ve seen this group enough and this unique set of tools enough that we wanted to publicly disclose some of this so that other telecoms … can look for this and see what’s going on,” said Adam Meyers, vice president of intelligence at CrowdStrike.

They routinely target Linux- and Solaris-based systems, planting backdoors and hopping between victim networks in search of valuable mobile communications data. Many of the systems targeted by the attackers, like external DNS servers, service delivery platform systems and operation support systems, are part of the General Packet Radio Service (GPRS) which allows packet switching and cellular transfer of data between different telecommunications companies.

“Unlike NSO Group and their Pegasus tool, this doesn’t need to touch the endpoint, it doesn’t need to get onto the mobile device or deploy malware,” said Meyers. “This is something that can collect sensitive information without ever touching your device [because] it’s doing it at the carrier level.”

In one intrusion, the attackers were able to compromise DNS servers that were part of this network, allowing them to hitch a ride and hop between other compromised networks using previously installed backdoors and SecureShell.

The cluster is also defined by some unique and advanced operational security tactics. They use special software to emulate GPRS network access points and combine it with an open-source Unix backdoor called TinyShell to establish persistence and run their command-and-control operations. Their riskiest or noisiest activities were scripted to only occur during a single half-hour block every day, making them appear as a predictable, routine and benign network occurrence.

“It really speaks to the understanding that this threat actor has in how infrastructure works inside telecoms,” said Meyers.

The telecommunications industry, like most critical infrastructure, sees persistent targeting from foreign nations, but control over the global data communications infrastructure makes telecom firms particularly attractive targets for cyber espionage. This is compounded by the industry’s reliance on a constellation of third-party service providers to manage parts of their networks, something that creates gaps or inconsistencies in security or visibility across the enterprise and can be taken advantage of by a capable and determined threat actor.  

The primary recommended mitigation is to tighten firewall rules for GPRS to only permit network traffic for expected protocols. However, this won’t work for telecoms who are already compromised, and in that case CrowdStrike recommends bringing in an incident response team.

Security teams can also ensure that basic logging from protocols like SSH is sent to your endpoint detection or security information event management systems and put incident response plans in place with third-parties that manage parts of their network ecosystem.