Hacker Group Linked To China Compromising Global Telecom Networks


Warning from security experts CrowdStrike that ‘LightBasin’ hackers are burrowing into telephone networks around the world to grab data

China’s cyber operations are once again in the spotlight, after a US cybersecurity firm warned of worrying activities from a Chinese-linked group.

CrowdStrike in a blog post on Tuesday warned that LightBasin (also known as UNC1945) is an “activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.”

LightBasin has reportedly been burrowing into mobile telephone networks around the world and used specialised tools to grab calling records and text messages from telecommunication carriers.


LightBasin hackers

CrowdStrike has labelled LightBasin as a “sophisticated actor” and it “employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed.

The sophisticated nature of the group and their significant OPSEC measures are a clear indication for experienced observers that the group is state sponsored or linked in some other way to a nation state.

In this case, CrowdStrike is not directly attributing LightBasin to the Chinese government, but the developer of one the group’s tools “has some knowledge of the Chinese language.”

And CrowdStrike has said attacks had connections to China including cryptography relying on Pinyin phonetic versions of Chinese language characters, as well as techniques that echoed previous attacks by the Chinese government.

The nature of the data targeted by LightBasin “aligns with information likely to be of significant interest to signals intelligence organisations.”

Telecom firms have long been targets for nation-state hackers, as call records can often be valuable data, showing which numbers called each other, how often calls were made, and for how long.

Meanwhile CrowdStrike senior VP Adam Meyers told Reuters his company gleaned the information by responding to incidents in multiple countries, which he declined to name.

However CrowdStrike on Tuesday published technical details to let other companies check for similar attacks.

Impressive tools

Meyers said the programs could retrieve specific data unobtrusively. “I’ve never seen this degree of purpose-built tools,” he told Reuters.

The Chinese embassy in Washington did not respond to questions from Reuters.

Asked for comment, the U.S. Cybersecurity and Infrastructure Security Agency said it was aware of the CrowdStrike report and would continue to work closely with US carriers.

“This report reflects the ongoing cybersecurity risks facing organisations large and small and the need to take concerted action,” an official told Reuters via a spokesperson.

“Common sense steps include implementing multifactor authentication, patching, updating software, deploying threat detection capabilities, and maintaining an incident response plan,” the official reportedly said.