FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.
The unique malware is called MESSAGETAP that infects SMS servers within telecommunication organizations to aid cyber espionage intrusions. And this surveillance doesn’t end at China’s borders. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions.
MESSAGETAP, was discovered during a 2019 investigation at a telecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers.
In mobile networks, SMSCs are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient has come online. With this background, let’s dig more into the malware itself.
- APT41, a highly advanced cyber threat group aligned with Chinese cyber espionage efforts, is stealing text messages from telecoms for specific, high-value individuals.
- FireEye named MESSAGETAP which is built to search through a telecom’s data and extract text messages from a preset list of phone numbers based on a second preset list of keywords.
- Observed victims to date are high-ranking military and government officials traditionally of interest to the Chinese government. Their stolen communications cover a wide range of topics to include: military topics, intelligence efforts, political movements at odds with China, and named senior Chinese leaders.
- There are virtually no actions a user can take to protect these messages on their devices or even gain awareness to this activity. All activity from MESSAGETAP occurs at the service provider level based on observed APT41 actions and a detailed study of the tool.
- The use of MESSAGETAP is representative of the evolving nature of Chinese cyber espionage and provides a significant net new capability for Chinese espionage programs.
- MESSAGETAP grants APT41, and by extension, China the ability to obtain highly sensitive data at scale for a wide range of priority targets with little chance of being detected.
- This is reflective of the Chinese targeting shift to “upstream” data sources like telecoms, satellite communications, and service providers.
(Image Courtesy: www.rknglobal.org)