The Covert Operator's Playbook: Infiltration of Global Telecom Networks
1 min read
Summary
A threat actor dubbed “LightBasin” targets the networks of telecommunications companies
LightBasin has been active since at least 2020, but security researchers have only recently obtained access to the group’s tooling, providing rare insight into its operations.
It leverages a novel backdoor called GTPDoor, which uses roaming protocols to communicate.
The group uses a range of custom and commercially available tools to target organizations.
It abuses common protocols like SSH, ICMP, DNS and GTP to maintain access, execute commands, and establish covert command-and-control channels.
It also has a toolset to exploit known vulnerabilities, including CVE-2016-5195 (commonly referred to as “�etaDerender” or “Fairware”).
LightBasin targets telecoms providers, likely to eavesdrop on customer mobile communications.
