LightBasin

The LightBasin cyber espionage group has operated since 2016. CrowdStrike says that they are based in China, though their exact location is unknown. They have targeted 13 telecoms operators. ==Targets==

CrowdStrike says that the group is unusual in targeting protocols and technology of telecoms operators. to communicate with the attackers' IP addresses. The scripts are tunneled through an SGSN emulator, which CrowdStrike says is to maintain OPSEC. Serving GPRS Support Node (SGSN) is a main component of the GPRS network, which handles all packet switched data within the network, e.g. the mobility management and authentication of the users. Utilizing this form of tunneling makes it less likely to be restricted or inspected by network security solutions. CrowdStrike recommends that firewalls dealing with GPRS traffic be configured to limit access to DNS or GPRS tunneling protocol traffic. (As of October 2025, CrowdStrike has updated their findings and revealed the intrusions were from Liminal Panda, not LightBasin) ==Associated group==

Mandiant says that the group UNC2891 is associated with LightBasin. Indonesian bank attack UNC2891 attached a Raspberry Pi with a 4G wireless modem to a network switch owned by an Indonesian bank. Group-IB said the attack took place early in 2024. Some money was withdrawn from an ATM by the group, though Group-IB didn't say how much. The group deployed the TinyShell backdoor to connect to command and control servers. The copy of TinyShell on the Raspberry Pi could access the bank mail server which was connected directly to the Internet, giving the group access to the network even when the Raspberry Pi wasn't able to connect to the 4G network. Another backdoor disguised itself as the LightDM display manager. The banks' defenders managed to prevent the group from applying the Caketap rootkit, which they believed would have been used to issue fake commands to allow further withdrawal of money. ==References==