wordpress blog stats
Connect with us

Hi, what are you looking for?

Hacker group infected 13 telecom companies with malware, flags US cybersecurity firm

The sophisticated hacking operation went undetected for the last five years, monitoring traffic and stealing metadata.

A United States-based cybersecurity company said that 13 telecommunications companies across the world were hacked by an entity named LightBasin, publicly known as UNC1945.

“CrowdStrike identified evidence of at least 13 telecommunication companies across the world compromised by LightBasin dating back to at least 2019,” said a blogpost by the cybersecurity company. Although, during its investigation CrowdStrike found evidence of Chinese language in LightBasin’s data, the company did not assert a nexus between LightBasin and China. MediaNama has reached out to CrowdStrike for more details such as the names of the telecommunications companies that were affected.

In brief, the cybersecurity company said LightBasin took advantage of the lax security protocols on Linux/Solaris systems – usually used by telecommunications companies. “LightBasin’s focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization,” said CrowdStrike.

The data that was accessed by LightBasin includes subscriber information and call metadata.

This cyber attack is reminiscent of the alleged China-backed attack on India’s critical infrastructure systems such as power companies in Telangana and other states. Although it is not yet confirmed whether Chinese state actors are involved in this cyber-attack, or whether any major Indian telcos were affected, it must be pointed out that India still does not have a data protection law, and the National Cyber Security Strategy which has been in the pipeline since 2019, has not been finalised yet.

Advertisement. Scroll to continue reading.

A look at the malware deployed by LightBasin for this attack

CordScan: This executable is a network scanning and packet capture utility that contains data relating to the application layer of telecommunications systems, which allows for fingerprinting and the retrieval of additional data when dealing with common telecommunication protocols, said CrowdStrike.

SIGTRANslator: This executable provides LightBasin with the ability to transmit data via telecommunication-specific protocols, while monitoring the data being transmitted, the company said. The data is sent to a remote C2 host, which is encrypted with hard-code key ‘wuxianpinggu507’.

This Pinyin translates to “unlimited evaluation 507” or “wireless evaluation 507.” “Wireless evaluation” is likely the correct translation, as the malware is targeting telecommunications systems. The identification of a Pinyin artifact indicates the developer of this tool has some knowledge of the Chinese language; however, CrowdStrike Intelligence does not assert a nexus between LightBasin and China — CrowdStrike

Fast Reverse Proxy: This open-source utility is a reverse proxy used by LightBasin to permit general access to the eDNS server via an actor-controlled C2 IP address hosted by the VPS provider Vultr, the company said.

Recommendations to safeguard telcos

CrowdStrike put out several recommendations to safeguard the critical infrastructure of telecommunications such as:

  • Ensure firewalls response for GPRS network have rules in place to restrict network traffic.
  • Conduct an incident response investigation that includes a review of all partner systems alongside systems managed by the organisation itself.
  • Compromise assessment should also be done if the organisation wishes to determine if they are a victim.
  • Ensure appropriate incident response plans are in place to take into account situations involving partner-managed systems.
  • Telcos need to have comprehensive threat intelligence resources.

Also read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ