An attack group has compromised at least 13 telecommunications companies over the past two years, according to a new report that shed light on the security challenges prevelant in the telecom sector.
The previously-discovered group, called LightBasin (also known as UNC1945), has been targeting the global telecom sector since at least 2016. LightBasin touts an in-depth knowledge of telecommunications network architectures and custom tools, as seen in a novel persistence mechanism used for its command-and-control (C2) traffic in recent attacks, according to a Tuesday Crowdstrike report. Once they had compromised these organizations, attackers used scanning and packet-capture tools to steal “highly specific information” from the mobile communication infrastructure, including international mobile subscriber identification numbers (IMSI), content of text messages, and specific information pertaining to call metadata, such as who is calling whom, when they’re calling, and for how long. Adam Meyers, SVP of Intelligence at CrowdStrike, said that this data is useful for espionage and intelligence services.
The researchers did not specify which telecommunications companies were targeted, nor did they link the group’s activity to a specific country, saying there is currently not enough available evidence. However, Meyers said researchers expect these organizations to continue to be targeted by sophisticated actors, "further underscoring the criticality of securing all aspects of telecommunications infrastructure beyond simply focusing on the corporate network alone."
In one of the compromises that researchers investigated, the attackers leveraged external DNS (eDNS) servers to connect directly to and from other compromised telecommunication companies’ networks via the SSH network communication protocol, and through previously established implants. eDNS servers play a role in roaming between different mobile operators and are part of the General Packet Radio Service (GPRS) network, the mobile data standard for 2G and 3G cellular communication networks’ global system for mobile communications. Researchers said that password-spraying attempts may have also played a role in initial compromises, using both weak and third-party-focused passwords (e.g., huawei).
Attackers primarily targeted telecommunications companies by establishing implants on Linux and Solaris servers (and, less frequently, on Windows servers). Researchers said this focus on Linux and Solaris systems likely is due to the critical telecommunications infrastructure running on these operating systems, as well as the “lax security measures” and monitoring solutions on the systems compared to Windows systems.
The group then deployed a Solaris PAM backdoor (dubbed Slapstick) on the victims’ systems in order to steal credentials in an obfuscated text file, and performed lateral movement by pivoting to set up the backdoor on additional systems in the network. Researchers highlighted several other tools utilized by LightBasin, including an executable called SIGTRANslator that allows attackers to transmit data via telecommunication-specific protocols, while monitoring the data being transmitted; an open-source utility (MicroSocks Proxy) used to pivot internally onto other networks and an executable (CordScan) enabling attackers to scan networks and capture packets.
“With the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance."
The LightBasin attackers were observed using a novel technique to move the stolen data between networks, which involved the use of SGSN emulation software to support C2 activities. SGSN (which stands for Serving GPRS Support Node) is used as a network access point for GPRS networks. Attackers combined the emulator with TinyShell, an open-source Unix backdoor that has previously been utilized by multiple adversaries, through a bash script. The publicly available SGSN emulation software (sgsnumu2) was used to tunnel TinyShell C2 traffic between the attackers’ server and the infected host, via the GPRS Tunnelling Protocol (GTP), a group of IP-based communications protocols used to carry general packet radio service, said researchers.
Attackers may have relied on this tactic because GTP-encapsulated traffic is potentially subject to less restrictions by network security solutions, said researchers. GTP-encapsulated TinyShell C2 traffic also may be less anomalous within a global mobile communications network because it is using a protocol native to the telecommunications infrastructure that is compromised, they said. The script would run for only 30 minutes each day, similarly to a scheduled job, and if a successful connection was not been made by the end of the 30-minute window, the script then would kill both the SGSN emulator and the TinyShell implant.
“The script is used as a persistence mechanism; it runs continually, but attempts to establish a tunnel to each of the specified mobile stations, which, in turn, act as tunnels to the TinyShell C2 server,” said Jamie Harries and Dan Mayer, researchers with Crowdstrike.
Researchers said that the process of securing the telecommunications sector comes with various challenges. That’s because these organizations have a partner-heavy nature and focus on high-availability systems - while at the same time building and operating critical infrastructure used to communicate and store large swaths of sensitive information. In March, researchers with McAfee shed light on an espionage campaign that used a spear-phishing website - pretending to be a Huawei career page - to infect telecommunications companies with malware. Earlier in October, researchers unearthed an espionage attack targeting telecommunications companies in the Middle East, U.S., Russia and Europe in an effort to steal sensitive data about critical assets as well as glean information about victims’ infrastructure and technology.
“With the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance,” said Harries and Mayer. “Given the significant intelligence value to any state-sponsored adversary that’s likely contained within telecommunications companies, CrowdStrike expects these organizations to continue to be targeted by sophisticated actors, further underscoring the criticality of securing all aspects of telecommunications infrastructure beyond simply focusing on the corporate network alone.”
One key recommendation for telecommunications companies is to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP, said researchers. This could help stifle LightBasin’s ability to pivot between multiple telecommunications companies, because the compromised organizations were permiting all traffic between these organizations without identifying the protocols that are actually required.
“Further, as it is a common situation where parts of the network may in fact be managed by a third-party managed service provider as opposed to the telecommunications company itself, an evaluation of security controls in place with the partner should be undertaken to ensure that the systems are sufficiently protected,” said researchers.