Threat Intelligence Tarot
Vol. II · 103
Unknown (suspected nation-state, telecom specialist)
★★★★★
risk 5/5
✦ The Signal Thief ✦
LightBasin
UNC1945
Telecommunications exclusivelyMobile network operators13+ global carriers simultaneously
Active since ~2016 · Signals intelligence, Mass surveillance
The Signal Thief lives inside the nervous system of global communications, reading the metadata of millions without ever announcing its presence. Its identity remains unattributed because the evidence points everywhere and nowhere at once.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Simultaneous compromise of 13 global telecom providers (CrowdStrike 2021)
- ◆GPRS roaming infrastructure targeting for call metadata collection
- ◆SS7 protocol exploitation for real-time call interception
- ◆Five-year undetected persistent access within telecom core networks
Defenses
- ▸SS7 firewall and SIGTRAN monitoring for inter-carrier signaling anomaliesGSMA FS.11
- ▸Telecom-specific intrusion detection on GPRS roaming exchange interfacesNIST CSF: DE.CM ↗
- ▸Privileged access management for telecom OSS/BSS administrative systemsCIS Control 6 ↗
- ▸Anomaly detection on subscriber data query patterns across roaming interfacesGSMA FS.37
Reversed: Their Weakness
Its telecom-specific expertise makes it nearly invisible to IT-focused security tools. Deploying telecom-native intrusion detection, monitoring GPRS roaming interfaces, and SS7 firewall deployments are the few effective countermeasures.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.