For context this is a tool deployed by a Chinese based threat actor referred to as LightBasin [1]. I believe them to be an adjacent team to the more well known Mustang Panda [2], but focused specifically on access to telecom infrastructure.
Don't think of a specific named actor as a tight knit group of hackers that own a project start to finish like you'd see in the movies. Really what we are identifying is a specific team within a multi-thousand person organization (or cooperating organizations). Just like any other big organization projects get handed off between teams based on their specializations.
LightBasin is a group that is highly experienced in telecommunications that is able to identify specific hardware from vendors and probably has the same gear sitting in a lab to test on. They are focused on COMINT collection and exploitation. There has been no evidence of them doing initial access work (establishing a foothold within specific networks), so they are likely being given access and then using their domain knowledge to pivot between different telcom providers on shared networks.
Mustang Panda on the other hand focuses on initial access to organizations and then stealing credentials, intellectual property, and most importantly internal documentation. You can start to see how these two groups would work hand-in-hand.
Based on victimology I believe the two to be within an organizational structure where information passes from one to the other. It is impossible to definitively state one way or the other without having information from within the Chinese government.
If you want further info, my email is in my profile.
Makes a lot of sense, mustang panda is heavy on document collection on target systems. Almost certainly a PLA intel gathering unit (like a cia team) as opposed to an MSS team but then again if their target was dissidents or political interests that disproves my theory.
Are GTP packets exchanged between peering providers? As in, would the C2 server have to be operated by a complicit telco in order to receive the packets? Or do they make it to the public Internet somewhere?
If it's the former, then it seems very un-stealthy. Like, if the GTP packets are making their way back to e.g. China Unicom, it's going to be hard to deny they were in on the operation. Which, maybe they don't care, but it seems like they're risking blacklisting.
Recommend taking a read of CrowdStrike's write up on this [1].
The threat actor maintains a presence on the roaming exchange through compromising "at least 13 telecommunication companies".
> If it's the former, then it seems very un-stealthy
In this article there is one example where the outbound connectivity to the Internet was via a "SGSN emulator in a loop, attempting to connect to a set of nine pairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network (MSISDN) numbers."
In this example, the transit traffic before egress to the Internet would appear to be legitimate subscriber traffic - user payload encapsulated in a PDP context / GTP tunnel to another telco's GGSN / packet gateway.
> Which, maybe they don't care, but it seems like they're risking blacklisting.
By compromising so many telcos, there are many points of redundancy for persistence on the roaming exchange. This threat actor has remained on telco networks for many years undetected - their techniques are apparently are quite effective.
holy mackerel, I had no idea their operation was so large. that's terrifying; I hope their network has been rolled up following Crowdstrike's article. in any event, it sounds like they don't have any shortage of outbound connectivity options.
I think, there being GTP traffic originating from victim S-GW through interface to GRX destined to P-GW at complicit/compromised foreign carrier should be normal. Although, there being no corresponding traffic towards the cell towers for the GTP packets would be weird, and initial port knocking on which victim carrier S-GW would initiate VPN over would be weird too.
The diagram in the article is succinct but only a small part of complex full 3GPP architecture[1][2]. I kind of suspect it had probably been easy enough to chalk such traffic up to "a buggy implementation they're using over there" for a while.
This is really advanced stuff and when it comes to infiltrating telco communications, it’s usually done at the highest levels of state actors to listen in or tap connections of countries and their president’s communications.
Also, the equipment is extremely expensive and getting access to it to craft exploits offline is costly. Exploiting it in the wild has its own risks.
1. https://malpedia.caad.fkie.fraunhofer.de/actor/lightbasin 2. https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda