72:
25:
203:. Serving GPRS Support Node (SGSN) is a main component of the GPRS network, which handles all packet switched data within the network, e.g. the mobility management and authentication of the users. Utilizing this form of tunneling makes it less likely to be restricted or inspected by network security solutions.
121:
that has been linked to multiple cyberattacks on telecommunications companies. As an advanced persistent threat, they seek to gain unauthorized access to a computer network and remain undetected for an extended period. They have been linked to attacks targeting
378:
253:
294:
730:
165:(GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via
1107:
664:
584:
508:
554:
330:
434:
615:
83:. In particular, the article does not explain what a LightBasin is to a non-technical reader who is not a computer security specialist in persistent threats.
765:
720:
549:
534:
370:
710:
243:
46:
33:
715:
407:
284:
539:
498:
926:
544:
630:
460:
427:
976:
740:
177:
1097:
493:
640:
455:
420:
181:
402:
322:
822:
625:
564:
162:
169:
and through previously established implants. Many of their tools are written for them rather than being off the shelf.
689:
812:
684:
569:
559:
118:
38:
921:
605:
760:
867:
802:
674:
988:
872:
589:
964:
782:
610:
574:
518:
207:
173:
138:
The LightBasin cyber espionage group has operated since 2016. CrowdStrike say that they are based in
1072:
645:
579:
513:
210:
dealing with GPRS traffic be configured to limit access to DNS or GPRS tunneling protocol traffic.
1102:
1051:
832:
503:
158:
905:
900:
787:
705:
669:
289:
196:
184:
154:
157:. According to CrowdStrike's investigation of one such breach, LightBasin leveraged external
797:
725:
352:
994:
827:
772:
679:
946:
817:
127:
1091:
1067:
910:
882:
142:, though their exact location isn't known. They have targeted 13 telecoms operators.
877:
777:
735:
195:, to communicate with attackers' ip addresses. The scripts are tunneled through an
166:
952:
620:
150:
940:
857:
248:
117:, is a suspected Chinese cyber espionage group that has been described as an
1006:
958:
792:
488:
192:
24:
1035:
982:
970:
934:
635:
114:
842:
153:
says that the group is unusual in targeting protocols and technology of
1030:
1000:
852:
837:
412:
892:
807:
285:"LightBasin hacking group breaches 13 global telecoms in two years"
862:
200:
139:
123:
188:
416:
353:"Day 27: Tiny SHell (SSH-like backdoor with full-pty terminal)"
323:"LightBasin: A Roaming Threat to Telecommunications Companies"
278:
276:
274:
272:
270:
65:
18:
244:"'LightBasin' hackers spent 5 years hiding on telco networks"
237:
235:
233:
231:
229:
227:
225:
223:
86:
1060:
1044:
1023:
1016:
919:
891:
753:
698:
657:
598:
527:
481:
474:
172:After compromising a system, they then installed a
665:Munster Technological University ransomware attack
317:
315:
313:
311:
199:emulator, which CrowdStrike says is to maintain
555:Waikato District Health Board ransomware attack
616:Anonymous and the Russian invasion of Ukraine
428:
187:used to control and execute commands through
8:
585:National Rifle Association ransomware attack
509:United States federal government data breach
1020:
550:Health Service Executive ransomware attack
478:
435:
421:
413:
1108:Chinese advanced persistent threat groups
49:of all important aspects of the article.
540:Ivanti Pulse Connect Secure data breach
219:
161:(eDNS) servers — which are part of the
176:, known as SLAPSTICK, for the Solaris
45:Please consider expanding the lead to
721:Ukrainian cyberattacks against Russia
499:European Medicines Agency data breach
408:Beyond Trust blog entry on LightBasin
180:. They utilize TinyShell, which is a
7:
403:Crowdstrike blog entry on LightBasin
716:Change Healthcare ransomware attack
545:Colonial Pipeline ransomware attack
14:
333:from the original on 8 April 2022
535:Microsoft Exchange Server breach
70:
23:
741:IRLeaks attack on Iranian banks
381:from the original on 2022-05-17
297:from the original on 2023-07-24
256:from the original on 2023-11-29
178:Pluggable authentication module
37:may be too short to adequately
81:may be very hard to understand
47:provide an accessible overview
1:
736:Fur Affinity domain hijacking
641:Shanghai police database leak
631:Costa Rican ransomware attack
242:Nichols, Shaun (2021-10-20).
565:Kaseya VSA ransomware attack
283:Ilascu, Ionut (2021-10-19).
206:CrowdStrike recommends that
163:General Packet Radio Service
690:British Library cyberattack
680:Insomniac Games data breach
1124:
685:Polish railway cyberattack
570:Transnet ransomware attack
560:JBS S.A. ransomware attack
119:advanced persistent threat
494:Twitter account hijacking
448:
626:DDoS attacks on Romania
1098:Cyberwarfare by China
965:Account pre-hijacking
711:Kadokawa and Niconico
611:Red Cross data breach
16:Cyber espionage group
636:LastPass vault theft
606:Ukraine cyberattacks
519:Vastaamo data breach
443:Hacking in the 2020s
731:Trump campaign hack
647:Grand Theft Auto VI
514:EasyJet data breach
329:. 19 October 2021.
833:IT Army of Ukraine
675:MOVEit data breach
504:Nintendo data leak
465:2030s →
359:. 26 January 2019.
159:Domain Name System
155:telecoms operators
1085:
1084:
1081:
1080:
906:maia arson crimew
901:Graham Ivan Clark
766:associated events
749:
748:
706:XZ Utils backdoor
670:Evide data breach
590:Banco de Oro hack
469:
468:
290:Bleeping Computer
104:
103:
64:
63:
1115:
1021:
726:2024 WazirX hack
575:Epik data breach
479:
451:
450:
437:
430:
423:
414:
390:
389:
387:
386:
367:
361:
360:
349:
343:
342:
340:
338:
319:
306:
305:
303:
302:
280:
265:
264:
262:
261:
239:
99:
96:
90:
74:
73:
66:
59:
56:
50:
27:
19:
1123:
1122:
1118:
1117:
1116:
1114:
1113:
1112:
1088:
1087:
1086:
1077:
1056:
1040:
1012:
924:
922:vulnerabilities
915:
887:
773:Anonymous Sudan
745:
694:
653:
594:
523:
475:Major incidents
470:
444:
441:
399:
394:
393:
384:
382:
369:
368:
364:
351:
350:
346:
336:
334:
321:
320:
309:
300:
298:
282:
281:
268:
259:
257:
241:
240:
221:
216:
148:
136:
100:
94:
91:
84:
75:
71:
60:
54:
51:
44:
32:This article's
28:
17:
12:
11:
5:
1121:
1119:
1111:
1110:
1105:
1100:
1090:
1089:
1083:
1082:
1079:
1078:
1076:
1075:
1070:
1064:
1062:
1058:
1057:
1055:
1054:
1048:
1046:
1042:
1041:
1039:
1038:
1033:
1027:
1025:
1018:
1014:
1013:
1011:
1010:
1004:
998:
992:
986:
980:
974:
968:
962:
956:
950:
947:PrintNightmare
944:
938:
931:
929:
917:
916:
914:
913:
908:
903:
897:
895:
889:
888:
886:
885:
880:
875:
873:Sakura Samurai
870:
865:
860:
855:
850:
845:
840:
835:
830:
825:
820:
818:GnosticPlayers
815:
810:
805:
800:
795:
790:
785:
780:
775:
770:
769:
768:
757:
755:
751:
750:
747:
746:
744:
743:
738:
733:
728:
723:
718:
713:
708:
702:
700:
696:
695:
693:
692:
687:
682:
677:
672:
667:
661:
659:
655:
654:
652:
651:
643:
638:
633:
628:
623:
618:
613:
608:
602:
600:
596:
595:
593:
592:
587:
582:
580:FBI email hack
577:
572:
567:
562:
557:
552:
547:
542:
537:
531:
529:
525:
524:
522:
521:
516:
511:
506:
501:
496:
491:
485:
483:
476:
472:
471:
467:
466:
463:
458:
449:
446:
445:
442:
440:
439:
432:
425:
417:
411:
410:
405:
398:
397:External links
395:
392:
391:
362:
344:
307:
266:
218:
217:
215:
212:
191:requests to a
147:
144:
135:
132:
109:, also called
102:
101:
78:
76:
69:
62:
61:
41:the key points
31:
29:
22:
15:
13:
10:
9:
6:
4:
3:
2:
1120:
1109:
1106:
1104:
1101:
1099:
1096:
1095:
1093:
1074:
1071:
1069:
1068:Cyclops Blink
1066:
1065:
1063:
1059:
1053:
1050:
1049:
1047:
1043:
1037:
1034:
1032:
1029:
1028:
1026:
1022:
1019:
1015:
1008:
1005:
1002:
999:
996:
993:
990:
987:
984:
981:
978:
975:
972:
969:
966:
963:
960:
957:
954:
951:
948:
945:
942:
939:
936:
933:
932:
930:
928:
923:
918:
912:
909:
907:
904:
902:
899:
898:
896:
894:
890:
884:
883:Wizard Spider
881:
879:
876:
874:
871:
869:
866:
864:
861:
859:
856:
854:
851:
849:
846:
844:
841:
839:
836:
834:
831:
829:
826:
824:
821:
819:
816:
814:
811:
809:
806:
804:
801:
799:
796:
794:
791:
789:
786:
784:
781:
779:
776:
774:
771:
767:
764:
763:
762:
759:
758:
756:
752:
742:
739:
737:
734:
732:
729:
727:
724:
722:
719:
717:
714:
712:
709:
707:
704:
703:
701:
697:
691:
688:
686:
683:
681:
678:
676:
673:
671:
668:
666:
663:
662:
660:
656:
650:
648:
644:
642:
639:
637:
634:
632:
629:
627:
624:
622:
619:
617:
614:
612:
609:
607:
604:
603:
601:
597:
591:
588:
586:
583:
581:
578:
576:
573:
571:
568:
566:
563:
561:
558:
556:
553:
551:
548:
546:
543:
541:
538:
536:
533:
532:
530:
526:
520:
517:
515:
512:
510:
507:
505:
502:
500:
497:
495:
492:
490:
487:
486:
484:
480:
477:
473:
464:
462:
459:
457:
454:←
453:
452:
447:
438:
433:
431:
426:
424:
419:
418:
415:
409:
406:
404:
401:
400:
396:
380:
376:
372:
366:
363:
358:
354:
348:
345:
332:
328:
324:
318:
316:
314:
312:
308:
296:
292:
291:
286:
279:
277:
275:
273:
271:
267:
255:
251:
250:
245:
238:
236:
234:
232:
230:
228:
226:
224:
220:
213:
211:
209:
204:
202:
198:
194:
190:
186:
185:command shell
183:
179:
175:
170:
168:
164:
160:
156:
152:
145:
143:
141:
133:
131:
129:
125:
120:
116:
112:
108:
98:
88:
82:
79:This article
77:
68:
67:
58:
48:
42:
40:
35:
30:
26:
21:
20:
878:ShinyHunters
847:
778:Berserk Bear
649:content leak
646:
383:. Retrieved
374:
365:
356:
347:
335:. Retrieved
326:
299:. Retrieved
288:
258:. Retrieved
247:
205:
171:
167:Secure Shell
149:
137:
110:
106:
105:
92:
85:Please help
80:
52:
36:
34:lead section
953:FORCEDENTRY
893:Individuals
813:Ghostwriter
621:Viasat hack
375:Telecom ABC
327:CrowdStrike
151:CrowdStrike
1092:Categories
941:Thunderspy
858:OceanLotus
848:LightBasin
798:DarkMatter
385:2022-05-11
301:2022-04-08
260:2022-04-08
249:TechTarget
214:References
107:LightBasin
95:April 2022
87:clarify it
55:April 2022
1103:Espionage
1073:Pipedream
1007:Sinkclose
959:Log4Shell
927:disclosed
925:publicly
823:Guacamaya
793:Cozy Bear
761:Anonymous
489:BlueLeaks
208:firewalls
193:web shell
130:systems.
39:summarize
1052:Predator
1036:Drovorub
995:Terrapin
983:LogoFAIL
977:Downfall
971:Retbleed
935:SMBGhost
911:Kirtaner
868:Sandworm
843:Lapsus$
803:DarkSide
783:BlackCat
461:Timeline
379:Archived
331:Archived
295:Archived
254:Archived
174:backdoor
115:Mandiant
1031:Adrozek
1017:Malware
1001:GoFetch
853:LockBit
838:Killnet
828:Hafnium
337:9 April
146:Targets
134:History
128:Solaris
111:UNC1945
1009:(2024)
1003:(2024)
997:(2023)
991:(2023)
989:Reptar
985:(2023)
979:(2023)
973:(2022)
967:(2022)
961:(2021)
955:(2021)
949:(2021)
943:(2020)
937:(2020)
920:Major
808:Dridex
754:Groups
371:"SGSN"
357:Medium
182:Python
863:REvil
456:2010s
201:OPSEC
140:China
124:Linux
1061:2022
1045:2021
1024:2020
788:Clop
699:2024
658:2023
599:2022
528:2021
482:2020
339:2022
197:SGSN
189:HTTP
126:and
113:by
1094::
377:.
373:.
355:.
325:.
310:^
293:.
287:.
269:^
252:.
246:.
222:^
436:e
429:t
422:v
388:.
341:.
304:.
263:.
97:)
93:(
89:.
57:)
53:(
43:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.