Posted on October 22, 2021 at 8:22 AM

Threat Actors Target Telecommunication Firms in Suspected Espionage Attack

Research has revealed the existence of a hacking group that is targeting telecommunications companies globally, seeking to steal data from them in what has been now termed as an intelligence gathering and cyber espionage campaign.

According to CrowdStrike, these hackers have been operating since 2016. The cybersecurity firm has also attributed these stealth attacks to the LightBasic threat actor group, also known as UNC1945.

Hacking Group Targets Mobile Communications

The report further shows that this hacking group has compromised the systems of more than 13 telecommunications companies over the past two years. Most of these attacks are done to steal information from mobile communications firms. This information includes subscriber data and other call details.

In several instances, the hackers were also found to be stealing information from smartphone devices. This information includes what the user sends and receives.

Commenting on this hack, the SVP of Intelligence at CrowdStrike, Adam Meyers, stated, “The nature of the data targeted by the LightBasin aligns with the information likely to be of significant interest to signals intelligence organizations. Their key motives are likely a combination of surveillance, intelligence and counterintelligence collection.”

Meyers also noted much information that threat actors can gain when they target telecommunication companies, especially if these threat actors are state-sponsored.

The origin state of these threat actors has not been given. However, some researchers have noted that the language used in developing the tools used to compromise these systems has traces of the Chinese language. However, this does not necessarily show that the threat actors are affiliated with China or any other country that speaks the Chinese language.

In a blog post, CrowdStrike stated, “Securing a telecommunications organization is by no means a simple task, especially with the partner-heavy nature of such networks and the focus on high-availability systems; however, with the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance.”

Hackers Targeting Linux Systems

These hackers are taking precautions to remain undetected. The research has shown that they will rarely compromise Windows systems unless it is a necessity. The research shows that the hacker prefers to operate using Linux and Solaris servers. These servers are more prone to security vulnerabilities compared to Windows.

The hackers gain initial access to these servers using an external DNS (eDNS) server that links up multiple phone operators. The research further shows that the threat actors were conducting their attack in a chain.

They used a previously compromised system to gain access to another system. Most believe that the original victims of these attacks were most likely people whose passwords were compromised through brute force attacks.

After the hackers gain access to the network, they drop the TinyShell backdoor to compromise the systems. The hackers use this backdoor technique with emulation software that allows the attacker to hack into the traffic emanating from the telecommunications server. The hackers also use a broad range of other tools such as CordScan to enable the hackers to retrieve the data from the telecommunication servers.

The researchers also noted that the hacking group was able to conduct “robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments.” Moreover, the researchers added that the mode of operation used by these threat actors was similar to intelligence gathering, indicating that this was most likely an espionage attack.

The hackers took several precautions to ensure they were not detected. However, they failed to hide some crucial details when using the SteelCorgi ATP tool. Moreover, the techniques that the threat actors were using were found in several telecommunication company servers, showing that this hacking group could be on a spree to attack firms in the communication sector and steal substantial information.

The researchers have also affirmed that the expose means that the attacks will end because there is still information showing that the group could still be actively involved in targeting telecommunication provider firms.

Commenting on this possibility, Meyers stated that, “Given LightBasin’s usage of bespoke tools and in-depth knowledge of telecommunications network architectures, we’ve seen enough to realize the threat LightBasin poses is not localized and could affect organizations outside of the ones we work with. The potential payoff to these threat actors in terms of intelligence gathering and surveillance is just too big for them to walk away from.”

There are several precautions that firms can take to reduce the possibility of their systems being compromised by these attacks. The first is setting up advanced firewall systems that will protect the GPRS networks. Moreover, these firewalls need to be configured so that they prevent the networks from being accessed by unwanted parties.