Truth, Inspiration, Hope.

China-Linked Hacking Group, LightBasin, Attacking Telecommunications Networks Globally

Published: October 21, 2021
This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. (Image: NICOLAS ASFOURI/AFP via Getty Images)

On Oct. 19, CrowdStrike, an independent cybersecurity provider, published a blog post detailing the activities of a hacking group named “Lightbasin” — also known as UNC1945 — that has been active since 2016 and is responsible for “multiple intrusions within the telecommunications sector,” globally.  

Lightbasin is a group of hackers, suspected of having ties to China, that have infiltrated cell phone networks worldwide and have “been stealing from the telecommunications network on a global scale since 2016.” The group is believed to have “considerable resources and technology.” 

CrowdStrike’s research discovered “evidence of at least 13 telecommunication companies across the world compromised by LightBasin dating back to at least 2019.”

Adam Meyers, senior vice president of CrowdStrike, said his company gathered the information by responding to incidents in multiple countries and regions, but declined to name which ones. The company released technical details Tuesday so that other companies could check for similar attacks.

LightBasin is said to have access to numerous custom applications that the group uses to attack and monitor telecommunication’s networks worldwide. “I’ve never seen a dedicated tool of this magnitude,” Meyers told Reuters.

Meyers did not accuse the Chinese government of directing the hacker group’s attacks but, he said they were linked to China because the attacks included cryptography that relied on a phonetic version of Hanyu Pinyin and that the group utilized techniques similar to previous attacks by the Chinese government.

For its part, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said they had received the contents of CrowdStrike’s report, emphasizing that it would continue to work with U.S. telecom providers to prevent hacking attacks.

Following the publishing of the report a CISA official stated, “This report reflects the ongoing cybersecurity risks facing organizations large and small and the need to take concerted action.” 

The CISA official believes that “common sense steps include implementing multifactor authentication, patching, updating software, deploying threat detection capabilities, and maintaining an incident response plan,” is the best way to counter the threat.