 | This article has multiple issues. Please helpimprove it or discuss these issues on thetalk page.(Learn how and when to remove these messages) (Learn how and when to remove this message)
|
LightBasin, also calledUNC1945 byMandiant, is a suspected Chinese cyber espionage group that has been described as anadvanced persistent threat that has been linked to multiple cyberattacks on telecommunications companies.[1][2] As an advanced persistent threat, they seek to gain unauthorized access to a computer network and remain undetected for an extended period. They have been linked to attacks targetingLinux andSolaris systems.[1][2]
The LightBasin cyber espionage group has operated since 2016.[1][2][3] CrowdStrike says that they are based inChina, though their exact location is unknown.[1] They have targeted 13 telecoms operators.[2]
CrowdStrike says that the group is unusual in targeting protocols and technology oftelecoms operators.[1] According to CrowdStrike's investigation of one such breach, LightBasin leveraged externalDomain Name System (eDNS) servers — which are part of theGeneral Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks viaSecure Shell and through previously established implants. Many of their tools are written for them rather than being off the shelf.[1]
After compromising a system, they then installed abackdoor, known as SLAPSTICK, for the Solarispluggable authentication module.[2] They utilizeTinyShell, which is acommand shell used to control and execute commands throughHTTP requests to aweb shell,[4] to communicate with the attackers' IP addresses. The scripts are tunneled through anSGSN emulator, which CrowdStrike says is to maintainOPSEC. Serving GPRS Support Node (SGSN) is a main component of the GPRS network, which handles all packet switched data within the network, e.g. the mobility management and authentication of the users.[5] Utilizing this form of tunneling makes it less likely to be restricted or inspected by network security solutions.[1]
CrowdStrike recommends thatfirewalls dealing with GPRS traffic be configured to limit access to DNS or GPRS tunneling protocol traffic.[1]
(As of October 2025, CrowdStrike has updated their findings and revealed the intrusions were from Liminal Panda, not LightBasin)
Mandiant says that the groupUNC2891 is associated with LightBasin.[6]
UNC2891 attached aRaspberry Pi with a4G wireless modem to anetwork switch owned by an Indonesian bank.[6] This granted the group internal access to the banks' network.[6][7]Group-IB said the attack took place early in 2024.[6][7] Some money was withdrawn from an ATM by the group, though Group-IB didn't say how much.[6][7]
The group deployed theTinyShellbackdoor to connect tocommand and controlservers.[6][7] The copy of TinyShell on the Raspberry Pi could access the bank mail server which was connected directly to the Internet, giving the group access to the network even when the Raspberry Pi wasn't able to connect to the 4G network.[6][7]
Another backdoor disguised itself as theLightDMdisplay manager.[6][7]
The banks' defenders managed to prevent the group from applying theCaketaprootkit, which they believed would have been used to issue fake commands to allow further withdrawal of money.[6][7]
