A China-aligned espionage group is targeting global telecoms, sweeping up call data dating back years

An advanced network of digital spies with a nexus to Chinese interests has successfully compromised parts of the global telecommunications network, in some cases allowing access to subscriber information, call metadata, text messages and other data, according to research released Tuesday by CrowdStrike.

The hacking group, dubbed “LightBasin” by the firm and known publicly as UNC1945, has targeted the telecommunications sector since at least 2016, investigators found. New research has identified 13 telecommunications companies as having been compromised by the network dating back to least 2019. The specific companies were not identified.

“People leverage their cellphones like they’re magic,” said Adam Meyers, CrowdStrike’s senior vice president of intelligence. “They don’t think about the fact that there’s this whole infrastructure that makes it work … and that infrastructure is not something that you can take for granted.”

The report lays out how this group has developed highly customized tools and a precise working knowledge of global telecommunications network architectures such that it can emulate network protocols to allow scanning and “to retrieve highly specific information from mobile communication infrastructure.” The nature of the data targeted “aligns with information likely to be of significant interest to signals intelligence operations.”

The researchers stopped short of attributing the activity directly to China, but noted that a hardcoded key within one of the tools identified indicates the developer has some knowledge of the Chinese language. The group employs specialized tools, they are very adept at conducting these operations and have displayed “remarkable operational security,” Meyers said.

The research emerges amid escalating competition between the Chinese and U.S. governments in all manner of geopolitics: military power, cyberspace, trade and science. The CIA recently announced that it was reorganizing to focus more on understanding Chinese activities around the world, as the country continues to exert itself technologically and the US government grapples with major questions about what it truly knows about Chinese capabilities, and whether the U.S. efforts are keeping pace.

It would not be unprecedented for Chinese government adjacent hackers to go after these kinds of targets. In August, Cybereason published research outlining attacks on Southeast Asian telecommunication companies that likely represented esiponage, as the attackers were collecting billing and call detail records, among other material. “If this is at larger scale, it would speak to both greater Chinese capacities and to expanded interests, the desire to track and surveil individuals around the world,” said Adam Segal, a cybersecurity and policy expert at the Council on Foreign Relations.

CrowdStrike released the report with information designed to help the telecommunications companies look for specific activity and files both within their corporate networks and within the telecommunications infrastructure itself.

In November 2020 Mandiant published research showing that the same activity group, UNC1945, had successfully targeted managed service providers to target companies within the financial and professional consulting industries.

Meyers said the implications of the ways in which this kind of information can be used to target individuals and organizations is staggering. Pointing to the ongoing exposure of malware sold to authoritarian governments and police agencies around the world by firms like NSO Group, for instance, that allow an adversary into a victim’s phone via targeted text message, Meyers said this is potentially much more troubling.

“They don’t need to deploy the malware onto your phone if they’re owning the network that your phone is riding on,” he said. While some messaging services allow for end-to-end encryption, and would therefore prevent content interception, “where this is happening, and the scale that it’s happening, there’s still quite a bit of text message traffic that occurs.”