Recommend taking a read of CrowdStrike's write up on this [1].
The threat actor maintains a presence on the roaming exchange through compromising "at least 13 telecommunication companies".
> If it's the former, then it seems very un-stealthy
In this article there is one example where the outbound connectivity to the Internet was via a "SGSN emulator in a loop, attempting to connect to a set of nine pairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network (MSISDN) numbers."
In this example, the transit traffic before egress to the Internet would appear to be legitimate subscriber traffic - user payload encapsulated in a PDP context / GTP tunnel to another telco's GGSN / packet gateway.
> Which, maybe they don't care, but it seems like they're risking blacklisting.
By compromising so many telcos, there are many points of redundancy for persistence on the roaming exchange. This threat actor has remained on telco networks for many years undetected - their techniques are apparently are quite effective.
holy mackerel, I had no idea their operation was so large. that's terrifying; I hope their network has been rolled up following Crowdstrike's article. in any event, it sounds like they don't have any shortage of outbound connectivity options.
The threat actor maintains a presence on the roaming exchange through compromising "at least 13 telecommunication companies".
> If it's the former, then it seems very un-stealthy
In this article there is one example where the outbound connectivity to the Internet was via a "SGSN emulator in a loop, attempting to connect to a set of nine pairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network (MSISDN) numbers."
In this example, the transit traffic before egress to the Internet would appear to be legitimate subscriber traffic - user payload encapsulated in a PDP context / GTP tunnel to another telco's GGSN / packet gateway.
> Which, maybe they don't care, but it seems like they're risking blacklisting.
By compromising so many telcos, there are many points of redundancy for persistence on the roaming exchange. This threat actor has remained on telco networks for many years undetected - their techniques are apparently are quite effective.
[1] https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-t...