Voice&Data Talkies #3: Adam Meyers, Senior VP, Intelligence, CrowdStrike

CrowdStrike has been working in network security and cybersecurity since 2011. The company has a collection of cloud-native security products and services that protect sensitive networks such as telecom networks.

Since 2016, LightBasin, also known as UNC1945, has been attacking the telecom sector. Using its knowledge of the telecom networks, the attacks have continued over the world, with varying degrees of damage. Since telecom networks are mission-critical, having a compromised telecom network can lead to catastrophic results.

As such, Voice&Data talked with Adam Meyers, who is the Senior VP, Intelligence at CrowdStrike. Meyers leads the Threat Intelligence business for the company, developing security products for the ever-evolving landscape.

Meyers talks about LightBasin, its impact on telecom, 5G, and what India needs to do, in the third edition of Voice&Data Talkies.

LightBasin has been attacking telcos worldwide for at least the last 5 years. What is LightBasin and how does it affect the telcos?

LightBasin is an activity cluster that has been consistently targeting the telecommunications sector on a global scale since 2016. It leverages custom tools and in-depth knowledge of telecommunications network architectures. LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed.

In a recent investigation by CrowdStrike Services, CrowdStrike Intelligence, and Falcon OverWatch, we found LightBasin managed to initially compromise one of the telecommunication companies by leveraging external DNS (eDNS) servers, which are part of the General Packet Radio Service (GPRS) network that plays a role in roaming between different mobile operators.

LightBasin accessed the first eDNS server via SSH from one of the other compromised telecommunications companies, with evidence uncovered indicative of password-spraying attempts using both extremely weak and third-party-focused passwords. Subsequently, LightBasin deployed their SLAPSTICK PAM backdoor on the system to siphon credentials to an obfuscated text file. As part of the lateral movement operations to further their access across the network, LightBasin then pivoted to additional systems to set up more SLAPSTICK backdoors.

What is the type and scale of the data leaked in a LightBasin attack?

Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools. It then uses the tools to retrieve highly-specific information from mobile communication infrastructures, such as subscriber information and call metadata. The data targeted by the hackers align with information likely to be of significant interest to signal intelligence organizations. Their key objectives are surveillance, intelligence, and counterintelligence collection.

CrowdStrike Intelligence has been following the development of LightBasin and its impact on the telecommunications sector for a while now. Why is this important?

LightBasin has been consistently targeting telecommunications companies around the globe for many years. The potential payoff to these actors in terms of intelligence gathering and surveillance is just too big for them to walk away from.

CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques, and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. The behavior and language used to communicate with servers seem to be that of a Chinese state-sponsored nation.

Have there been incidents of state-sponsored attacks on telecom operators around the world? How frequent are attacks like these?

According to CrowdStrike’s OverWatch Report, 2021, intrusion volumes are continuing to grow by 69% year over year in Asia (including North Asia, South Asia, and India) for the year to 30 June 2021. The most targeted sectors were telecommunications, technology, manufacturing, healthcare, and government. The report highlights an explosion in adversary activity, both in volume and velocity.

Over the past year, CrowdStrike has observed a surge in interactive intrusion activity targeting the telecommunications industry. This activity spans all major geographic regions globally and has been tied to a diverse range of adversaries. Alarmingly, China, North Korea, and Iran were the most active state sponsors of cyber-attacks, representing the majority of targeted intrusions.

Currently, telcos in most parts of the world are operating 2G, 3G, and 4G, with 5G in the works. Is there a particular generation of mobile networks that is most affected by LightBasin?

LightBasin actors have an advanced understanding of the telecommunications industry and protocols/infrastructure that is used there. The targets of LightBasin use a variety of technologies and support connectivity back to 2G in many cases.

As 5G will become the first generation of networks to be deployed over the cloud, how easy, or difficult, does it make for a company like CrowdStrike to try and secure a network like that?

CrowdStrike has several products and services supporting cloud workload protection; customers rely on our Falcon Cloud Workload Protection and Horizon Cloud Security Posture Management products to defend cloud infrastructure. CrowdStrike Cloud Security provides continuous posture management and breach protection for any cloud in the industry’s only adversary-focused platform. Powered by holistic intelligence and end-to-end protection from the host to the cloud, it delivers greater visibility, compliance, and fast threat detection and response to outsmart the adversary.

How should telecom operators in India prepare for LightBasin?

To protect themselves, the telecom operators in India must ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as Domain Name System (DNS) or GPRS Tunneling Protocol (GTP). Also, companies within the telecommunications vertical are extensively targeted by highly advanced state-sponsored adversaries all the time; as such, these organizations need to have access to up-to-date, comprehensive threat intelligence resources to understand the threats.

This intelligence should also provide insights into the TTPs of adversaries that telecommunications companies are likely to encounter, across both the corporate network and critical telecommunications infrastructure, so that these insights can then be used to further augment detection mechanisms and inform on decisions regarding existing security controls.