Researchers have been tracking a highly sophisticated two-year-long espionage campaign against global telcos that have already compromised at least 13 organizations. Called LightBasin, CrowdStrike researchers have been tracking the group’s activity since it was discovered by Mandiant in November of last year. At the time of its discovery, the group’s targets were MSPs and their customers in finance and consulting. The group has been active since at least 2016, however, the current campaign dates back to 2019.

According to CrowdStrike, the group leverages in-depth knowledge of telecoms networks and custom tools to compromise its targets. The group operates with a high level of OPSEC and established implants on the Linux and Solaris servers frequently used in the telecoms sector. At least one provider was reportedly compromised via its GPRS-supporting external DNS servers. Researchers found that the APT accessed the organization via SSH from another compromise target and deployed password spraying techniques to achieve initial compromise.

Read More: LightBasin Operation Compromises 13 Global Telcos in Two Years