author photo
By SecureWorld News Team
Thu | Oct 21, 2021 | 9:20 AM PDT

Smartphone usage has been linked to many terrible things in a study by Harvard: depression, anxiety, poor sleep, increased odds of dying in a car accident.

And now, here is another con to add to the list: the possibility of foreign spies scouring your text messages for sensitive information.

CrowdStrike recently posted a blog about its investigation into a malicious hacking group known as LightBasin, or UNC1945. Since 2016, this cybercrime organization has been building customized tools to invade the world's telecommunications sector.

According to the blog, at least 13 telecommunications companies have been breached by LightBasin since 2019.

LightBasin hacks critical infrastructure with intention and competence

SecureWorld News reported earlier this month about an incident with Syniverse, a major telecommunications company. Syniverse admitted earlier this month that it had been victim of the LightBasin hackers. Senator Ron Wyden (D-OR) described the hack, which gave the bad actors access to billions of texts, as "espionage gold" to Vice's Motherboard.

The level of skill that went into LightBasin's operations astounded many. 

"I've never seen this degree of purpose-built tools," CrowdStrike Senior Vice President Adam Meyers told Reuters about the LightBasin investigation.

In the investigation, it was uncovered that LightBasin put energy towards Linux and Solaris systems, avoiding the more robust monitoring systems by Windows. 

"... LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed. LightBasin's focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization," reads the blog post. 

The group began by focusing on one of the most salient areas of Cybersecurity Awareness Month: weak passwords.

"LightBasin initially accessed the first eDNS server via SSH from one of the other compromised telecommunications companies, with evidence uncovered indicative of password-spraying attempts using both extremely weak and third-party-focused passwords (e.g., Huawei), potentially helping to facilitate the initial compromise."

LightBasin also uses a long list of malware and other techniques to carry out their devious deeds. In the technical details, interested readers can further learn about what methods went into these cyberattacks. 

Additionally, the blog goes into detail about what can be done if a company's network is compromised by LightBasin.

"If already the victim of a LightBasin intrusion, simply restricting network traffic will not solve the problem as LightBasin has displayed the ability to utilize common telecommunications protocols such as GTP for command and control. In this event, CrowdStrike recommends an incident response investigation that includes the review of all partner systems alongside all systems managed by the organization itself. Similarly, if an organization wishes to determine whether they’ve fallen victim to LightBasin, any compromise assessment must also include a review of all of the aforementioned systems."

China or not? What we know right now

Supposedly this group is linked to China, but CrowdStrike's blog did not confirm these claims. There is wide speculation in the media that LightBasin could be an Advanced Persistent Threat (APT), or nation-state espionage group, operating on behalf of the Chinese government.

"There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus," the blog reads.

The Chinese embassy in the U.S. has not responded to the claims at the time of publishing, according to Reuters.

What kind of information could the hackers be privy to and what does this mean for the safety of our phones? Leave your comments below.

[RESOURCE] Data is generating across more devices than ever before. How can you decipher what data your organization should protect and what it should not? SecureWorld's panel of cybersecurity professionals tackle this topic in our Remote Sessions webcast, It's 2 AM. Do You Know Where Your Data Is? Register to attend and earn CPE credits. 

Comments