LightBasin

LightBasin, also called UNC1945 by Mandiant, is a suspected Chinese cyber espionage group that has been described as an advanced persistent threat that has been linked to multiple cyberattacks on telecommunications companies.^[1]^[2] As an advanced persistent threat, they seek to gain unauthorized access to a computer network and remain undetected for an extended period. They have been linked to attacks targeting Linux and Solaris systems.^[1]^[2]

History

The LightBasin cyber espionage group has operated since 2016.^[1]^[2]^[3] CrowdStrike say that they are based in China, though their exact location isn't known.^[1] They have targeted 13 telecoms operators.^[2]

Targets

CrowdStrike says that the group is unusual in targeting protocols and technology of telecoms operators.^[1] According to CrowdStrike's investigation of one such breach, LightBasin leveraged external Domain Name System (eDNS) servers — which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via Secure Shell and through previously established implants. Many of their tools are written for them rather than being off the shelf.^[1]

After compromising a system, they then installed a backdoor, known as SLAPSTICK, for the Solaris Pluggable authentication module.^[2] They utilize TinyShell, which is a command shell used to control and execute commands through HTTP requests to a web shell,^[4] to communicate with attackers' ip addresses. The scripts are tunneled through an SGSN emulator, which CrowdStrike says is to maintain OPSEC. Serving GPRS Support Node (SGSN) is a main component of the GPRS network, which handles all packet switched data within the network, e.g. the mobility management and authentication of the users.^[5] Utilizing this form of tunneling makes it less likely to be restricted or inspected by network security solutions.^[1]

CrowdStrike recommends that firewalls dealing with GPRS traffic be configured to limit access to DNS or GPRS tunneling protocol traffic.^[1]

Associated group

Mandiant says that the group UNC2891 is associated with LightBasin.^[6]

Indonesian bank attack

UNC2891 attached a Raspberry Pi with a 4G wireless modem to a network switch owned by an Indonesian bank.^[6] This granted the group internal access to the banks' network.^[6]^[7] Group-IB said the attack took place early in 2024.^[6]^[7] Some money was withdrawn from an ATM by the group, though Group-IB didn't say how much.^[6]^[7]

The group deployed the TinyShell backdoor to connect to command and control servers.^[6]^[7] The copy of TinyShell on the Raspberry Pi could access the bank mail server which was connected directly to the Internet, giving the group access to the network even when the Raspberry Pi wasn't able to connect to the 4G network.^[6]^[7]

Another backdoor disguised itself as the LightDM display manager.^[6]^[7]

The banks' defenders managed to prevent the group from applying the Caketap rootkit, which they believed would have been used to issue fake commands to allow further withdrawal of money.^[6]^[7]

References

^ ^a ^b ^c ^d ^e ^f ^g ^h Nichols, Shaun (2021-10-20). "'LightBasin' hackers spent 5 years hiding on telco networks". TechTarget. Archived from the original on 2023-11-29. Retrieved 2022-04-08.
^ ^a ^b ^c ^d ^e Ilascu, Ionut (2021-10-19). "LightBasin hacking group breaches 13 global telecoms in two years". Bleeping Computer. Archived from the original on 2023-07-24. Retrieved 2022-04-08.
^ Küfeoğlu, Sinan; Akgün, Abdullah Talip (2024). Cyber Resilience in Critical Infrastructure. Abingdon, Oxon: CRC Press. ISBN 978-1-0009-8368-5. Retrieved 2025-08-09 – via Google Books.
^ "Day 27: Tiny SHell (SSH-like backdoor with full-pty terminal)". Medium. 26 January 2019.
^ "SGSN". Telecom ABC. Archived from the original on 2022-05-17. Retrieved 2022-05-11.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ Jones, Connor (2025-08-01). "Cybercrooks attached Raspberry Pi to bank network and drained ATM cash". The Register. Retrieved 2025-08-13.
^ ^a ^b ^c ^d ^e ^f ^g Phuong, Nam Le (2025-07-30). "UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion". Group-IB.

[techtarget-lightbasin-1] ^ ^a ^b ^c ^d ^e ^f ^g ^h Nichols, Shaun (2021-10-20). "'LightBasin' hackers spent 5 years hiding on telco networks". TechTarget. Archived from the original on 2023-11-29. Retrieved 2022-04-08.

[bleeping-computer-lightbasin-2] Ilascu, Ionut (2021-10-19). "LightBasin hacking group breaches 13 global telecoms in two years". Bleeping Computer. Archived from the original on 2023-07-24. Retrieved 2022-04-08.

[Küfeoğlu2024-3] Küfeoğlu, Sinan; Akgün, Abdullah Talip (2024). Cyber Resilience in Critical Infrastructure. Abingdon, Oxon: CRC Press. ISBN 978-1-0009-8368-5. Retrieved 2025-08-09 – via Google Books.

[4] "Day 27: Tiny SHell (SSH-like backdoor with full-pty terminal)". Medium. 26 January 2019.

[5] "SGSN". Telecom ABC. Archived from the original on 2022-05-17. Retrieved 2022-05-11.

[tr-cybercrooks-attached-raspberry-pi-6] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ Jones, Connor (2025-08-01). "Cybercrooks attached Raspberry Pi to bank network and drained ATM cash". The Register. Retrieved 2025-08-13.

[group-ib-bank-heist-7] ^ ^a ^b ^c ^d ^e ^f ^g Phuong, Nam Le (2025-07-30). "UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion". Group-IB.

[1]

[2]

[3]

[4]

[5]

[6]

[7]