A mysterious group of hackers has been quietly breaking into the computer networks of telecommunications companies on a global scale, according to new security research.
Buried deep inside mobile infrastructure across the globe the hackers are able to spy on anyone whose device is connecting to those networks, according to cyber security company Crowdstrike.
But little is known about the hackers other than what the experts have been able to directly observe – that it is highly sophisticated, has been active since 2016, develops its own custom hacking tools, and has extensive knowledge of the sector it is targeting.
The information that the hackers can glean from hacking these networks “aligns with information likely to be significant interest to signals intelligence organisations”, Crowdstrike said, but who the group is working for remains a mystery – though there are several clues.
The hackers don’t need to hack phones as they can spy on users from inside the carriers. File pic: Reuters
Adam Meyers, who leads Crowdstrike’s threat intelligence team, noted the differences between the mysterious group’s hacking and recent stories about NSO Group’s spyware tools.
The private business was accused of assisting despotic regimes to target the phones of politicians, journalists, political dissidents and human rights activists in reports earlier this year.
Mr Meyers explained: “The key take-away here is that these hackers don’t need to hack into your mobile device… the thing here that is so stunning is that they can do it from the carrier.”
“They don’t have to hack your phone, they hack the mobile providers across the globe,” he said.
So little is known about the group that it isn’t being tracked as a distinct entity in itself, but instead as an activity cluster of incidents called LightBasin in which the same kinds of companies have been hacked in the same kinds of ways.
But some clues have emerged, according to Crowdstrike, which found data was being sent to and from a remote server and the compromised networks encrypted with a password that they could read in the code of the hacking tools.
This password was a Chinese phrase – “wuxianpinggu507” – which the company translated as “wireless evaluation 507”, but Crowdstrike cautioned that the use of this phrase only indicated the developer of the tool had some knowledge of the Chinese language, it is not a basis to assert Beijing’s involvement.
The company has assessed that the LightBasin activity does appear to be operating in support of several groups that Crowdstrike has attributed with confidence to being sponsored by the Chinese government, but its standards for making attributions are high and there isn’t enough evidence to support a similar attribution for LightBasin.
Mr Meyers said: “It’s important for us to be responsible in how we talk about things like this. We don’t take this lightly when we say that there’s a global campaign targeting telecoms, and it has very specialised tools meant to take advantage of mobile infrastructure.
“We don’t want to throw things out there unless we have some degree of confidence,” he said.