IOTW: Is your company at risk from this mysterious hacker group?

Malicious activity cluster goes undetected for five years before being discovered by Crowdstrike

Add bookmark
Sarah Williams
Sarah Williams
10/22/2021

Crowdstrike discovers malicious activity cluster

Movement that is barely detected. Activity so stealthy that it’s gone undiscovered for the past five years. Hacking that leaves such a small footprint, it cannot even be attributed to one group – instead, it’s only noticeable when certain activities occur.

These might sound like the fever dreams of a would-be hacker still living in their parent’s basement, but the reality is that the above statements are accurate descriptions of what is being referred to as an “activity cluster” named LightBasin. First discovered this year by endpoint cybersecurity firm Crowdstrike, the activity was revealed on the US firms’ blog earlier this week.

And here’s the kicker: the activity is only happening to telecoms firms – 13 of them since 2019, to be exact.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

The facts

Having investigated several incursions into the telecoms sector over the past few years, Crowdstrike Services, along with Crowdstrike Intelligence and its human threat detection group, Falcon OverWatch, recently found that the activity cluster has been targeting companies mainly through the use of Linux and Solaris systems. The most recent threat to these 13 companies around the world happened via external DNS servers.

According to the report: “LightBasin managed to initially compromise one of the telecommunication companies in a recent Crowdstrike Services investigation by leveraging external DNS (eDNS) servers — which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants.

“LightBasin initially accessed the first eDNS server via SSH from one of the other compromised telecommunications companies, with evidence uncovered indicative of password-spraying attempts using both extremely weak and third-party-focused passwords (e.g., huawei), potentially helping to facilitate the initial compromise.”

With these implants sitting undetected, sometimes for years, the activity cluster could then bypass the eDNS server’s firewall by creating a reverse shell and using them to appear like communications from a server owned by a different compromised telecommunications company in another part of the world. Essentially using one hack to facilitate another is a smart approach, but also highly indicative of the cluster’s desire to remain undetected for as long as possible.

A potential suspect

There was, according to Crowdstrike, additional malware and utilities installed across the 13 companies, most of which indicate “robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments. This range of capability would also be consistent with a signals intelligence organization with a need to respond to collection requirements against a diverse set of target environments.”

What this may indicate (though Crowdstrike has not made this conclusion) is that the activity indicates a government-level actor, or one supported by government. And while several other news outlets have reported that the activity is possibly being led by China, Crowdstrike (whose original investigation is all the information we have on this at present) has cautioned that there is simply not enough information to assume this.

"The identification of a Pinyin artifact indicates the developer of this tool has some knowledge of the Chinese language,” explains the report. “However, Crowdstrike Intelligence does not assert a nexus between LightBasin and China. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.”

Lessons learned

Telecoms companies are often targeted by threat actors, mainly because of the huge amount of data available for any attacker, as well as the high value to state-level or state-sponsored actors. And while these companies need to have their servers communicate with one another due to roaming agreements (particularly in large connected network geographies such as US states or the EU), LightBasin was able to use the lax protocol identification of traffic between companies to find an easy way in. Furthermore, external companies that telecoms firms engage to manage parts of the network must be rigorously quality checked to make sure their systems are fully protected.

Actions you can take

If your company has not yet been one of those targeted by this activity cluster, there’s good news: a simple monitoring or security tool in place on your core systems will help close this exposure. Unix-based OS’s are most often LightBasin’s targets, so get your logging controls and endpoint protection in place. Lastly, conduct a review with your supply chain and make sure that you have an incident response plan fully detailed and read to implement.