Cybersecurity experts released a report on Tuesday detailing an infiltration of at least 13 global telecommunication companies since 2019 by the threat group LightBasin. LightBasin have been active as far back as 2016 and are known to target telecommunication organizations. It was discovered that the group initially accessed External DNS (eDNS) servers of telecoms that are part of the General Packet Radio Service (GPRS) network via a Secure Shell (SSH) connection from the network of another compromised company. This sophisticated approach allowed the group to then seamlessly roam between different mobile operators.
In addition, evidence was found of LightBasin brute-forcing their way on the system by trying the default credentials for the targeted system. Once compromised, the threat actor installed and executed custom malware that is currently tracked as SLAPSTICK, a backdoor for the Solaris Pluggable Authentication Module (PAM) that gives access to the system based on a hardcoded password.
While the report did not assert a connection between LightBasin and China, experts noted techniques and protocols previously used by the Chinese government discovered during their research. In this case, the attacks included cryptography relying on Pinyin phonetic versions of Chinese language characters, as well as techniques that were previously used by the Chinese government.
Advanced state-sponsored adversaries are likely to continue their targeted attacks on telecommunications companies to gain valuable intelligence. Therefore, a strong security posture is needed to protect essential infrastructure. It is advisable that proper firewall rules, monitoring, and security tooling are prioritized to protect large scale network systems.