A recent investigation into the world of cybersecurity has unearthed a covert and highly sophisticated espionage campaign targeting telecom operators on a global scale. The findings, outlined in a report by BleepingComputer, shed light on a new threat actor utilizing a previously unknown backdoor, named GTPDOOR.
Security researcher HaxRob made the discovery, revealing the potential ramifications of this stealthy intrusion. GTPDOOR, described as a backdoor with a specific focus on a “very old Red Hat Linux version,” points to a deliberate strategy of targeting outdated systems. This backdoor is meticulously crafted to exploit vulnerabilities in systems such as SGSN, GGSN, and P-GW, integral components adjacent to the GPRS Roaming Exchange (GRX) service.
By compromising these systems, threat actors gain direct access to a telecom’s core network, opening the gateway to the extraction of sensitive and private information. The capabilities of GTPDOOR are alarming, allowing attackers to set new encryption keys for command and control (C2) communications, manipulate local files, execute arbitrary shell commands, and even control communication permissions. This multifaceted approach enables threat actors to navigate undetected within the compromised network, highlighting the depth of their infiltration.
What’s even more concerning is the apparent return of the threat actor known as LightBasin, also recognized as UNC1945. Initially identified by cybersecurity researchers Mandiant in 2016, LightBasin has resurfaced, showcasing its expertise in targeting the global telecommunications sector. Known for its in-depth knowledge of network architecture and protocols, LightBasin has a history of emulating telecommunications systems to extract highly specific information, including subscriber details and call metadata.
According to a report from 2021, CrowdStrike researchers revealed that LightBasin successfully targeted 13 global telecoms in a span of two years. This resurgence underlines the persistent threat posed by this group and emphasizes the importance of vigilance within the telecommunications sector.
As cybersecurity experts evaluate the unfolding situation, recommendations for businesses to defend against such attacks include vigilance for unusual raw socket activities, unexpected process names, and the identification of malware indicators, such as duplicate syslog processes.
The evolving landscape of cyber threats necessitates a proactive and adaptive defense strategy to safeguard critical infrastructure and prevent unauthorized access to sensitive data. In an era where information is a valuable commodity, the vigilance of the cybersecurity community remains crucial to stay one step ahead of sophisticated threat actors.
