SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers

Video: 10 Minute IT Jams - An update from CrowdStrike

Fri, 5th Nov 2021
FYI, this story is more than a year old

A new cyber threat targeting the global telecommunications industry has been uncovered.

Speaking exclusively to Two Minute IT Gems, Scott Jarkoff, Director of the Strategic Advisory Group for Asia Pacific and Japan at CrowdStrike, revealed the existence and significance of a persistent state-sponsored threat actor, dubbed Light Basin, that has been targeting telecoms companies worldwide since 2016. 

"This is important because just think about telecommunications - it's part of critical infrastructure, the backbone of the so-called information superhighway that we use every day," Jarkoff said. "Especially nowadays, where we're all using our smartphones, we all recognise the importance of telecommunications."

According to CrowdStrike's recent investigations, the Light Basin activity cluster ramped up its efforts significantly in 2019, targeting around 13 telecommunications companies directly. "The adversary responsible for this activity appears to have very extensive knowledge of the telecommunications industry," Jarkoff explained. He added that the group understands the protocols and tools relied upon by telecoms operators and is able to manipulate them both for access and for gathering sensitive information.

At the heart of Light Basin's operations is a four-phase approach. The first phase focuses on initial access, typically via password spraying or secure shell (SSH) connections to external Domain Name System (DNS) servers—often using infrastructure already compromised from other telecoms companies. "Rather than starting with the target and then attacking that target, they're using that target to then attack additional targets," Jarkoff noted.

The second phase is establishing a foothold via a custom tool called 'slapstick', which is implanted on Solaris or Linux servers to harvest legitimate credentials. This is followed by 'fortifying access', where another tool known as 'ping pong' is deployed. This implant is placed on those same external DNS servers and provides covert reverse shell capabilities, giving hackers redundant entry points that are hard to detect.

The final phase is data collection. The goal is extensive surveillance of information crossing telecommunications networks. "What we're seeing here is basically foreign intelligence service collection," Jarkoff said. "They can collect the metadata, subscriber information, and potentially use it in other areas."

Light Basin and similar adversaries have highlighted the shifting tactics of modern cyber attackers, many of whom now favour 'malware-free' methods or so-called 'living off the land' techniques instead of deploying traditional viruses and trojans. Attackers, Jarkoff emphasised, "really understand the limits of technology," and have adapted their tools accordingly.

This sophistication was detailed in CrowdStrike's recently released Overwatch Threat Hunting Report for 2021, which outlines broader trends in cyber threats. The report warns organisations against relying solely on technology, as attackers are now too sophisticated and adept at bypassing traditional security measures. "You cannot rely on technology alone… you really need to have humans that sit on top of that technology in order to really be able to understand what kind of activity is taking place," Jarkoff said.

To combat these threats, Jarkoff urges organisations to deploy comprehensive security solutions company-wide, rather than piecemeal. "You can't miss a single endpoint—that single endpoint that doesn't have coverage is the one attackers are going to find," he explained. "That's what's going to ultimately lead to that significant intrusion that could potentially lead to a huge breach."

He also warned against over-confidence in legacy security technology, arguing that it "is just going to keep you in the slow lane when you really need to be in the fast lane." Instead, he recommends constant vigilance, comprehensive threat hunting, and leveraging up-to-date threat intelligence that sheds light on emerging attack techniques worldwide.

Explaining the methods of some of the region's most prolific adversaries, Jarkoff listed several state-linked and criminal groups active in Asia Pacific and Japan (APJ). Prominent examples include 'Kryptonite Panda', 'Lotus Panda', 'Override Panda', and 'Wicked Panda'—all with alleged links to the Chinese government—as well as 'Wizard Spider', an e-crime outfit considered by some to be "arguably the most prolific e-crime adversary in history."

In terms of targeted sectors, Jarkoff said, "Telco, technology, manufacturing, health care, and government are the top five for the first half of the year." He went on to cite that, for APJ, the ratio of nation-state to e-crime intrusions now sits at 59 to 41 percent in favour of e-crime, which is up 400 percent since the beginning of 2019.

Discussing CrowdStrike's approach to countering these threats, Jarkoff described how the company's Overwatch product is built on the principle of 'managed threat hunting', combining both human experts and threat intelligence to proactively search for signs of attack. "CrowdStrike basically pioneered this idea," he said, "that you no longer have a malware problem, you have an adversary problem." He stressed the importance of understanding not just what malware is used, but who is behind the attacks and their methods.

He added, "Overwatch really combines the power of human threat hunters that are sifting through over one trillion events in unencrypted attack telemetry data on a daily basis to find those potential hands-on intrusions—and they are finding something on average of one every eight minutes."

Despite advances in security technology, the key, Jarkoff argued, remains the combination of human expertise and advanced analytics. "You can't rely solely on technology—you need humans… this is why Overwatch is important and how it helps identify this type of activity that's taking place."

Concluding the interview, Jarkoff encouraged anyone concerned about cybersecurity to seek independent advice, not just from vendors, but also from analyst firms such as IDC, Gartner, and Forrester. "Don't just take our word for it, take independent testing's word for it as well," he said.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X