CrowdStrike Services, CrowdStrike Intelligence and Falcon OverWatch™ have investigated multiple intrusions within the telecommunications sector from a sophisticated actor tracked as the LightBasin activity cluster, also publicly known as UNC1945. Active since at least 2016, LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed. LightBasin’s focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization.
LightBasin managed to initially compromise one of the telecommunication companies in a recent CrowdStrike Services investigation by leveraging external DNS (eDNS) servers — which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants. CrowdStrike identified evidence of at least 13 telecommunication companies across the world compromised by LightBasin dating back to at least 2019.
LightBasin initially accessed the first eDNS server via SSH from one of the other compromised telecommunications companies, with evidence uncovered indicative of password-spraying attempts using both extremely weak and third-party-focused passwords (e.g.,
huawei), potentially helping to facilitate the initial compromise. Subsequently, LightBasin deployed their SLAPSTICK PAM backdoor on the system to siphon credentials to an obfuscated text file. As part of early lateral movement operations to further their access across the network, LightBasin then pivoted to additional systems to set up more SLAPSTICK backdoors.