A state-sponsored tool most likely used by Chinese
advanced persistent threat group APT41 was discovered inside the Linux servers
of an undisclosed telecom company, surveilling incoming and outgoing SMS
messages.
FireEye Mandiant recently identified a new malware family
called MESSAGETAP, which was already deployed in the telecom company’s
infrastructure. The term “advanced persistent threat group” is usually reserved
for hacking groups employed or used by state actors.
The researchers said the tool deployed by APT41 supported
Chinese espionage efforts, but the group has financial motives as well. It’s
unclear how long the malware was operating before it was found, but a 2019
investigation revealed it in a cluster of Linux servers.
“Specifically, these Linux servers operated as Short
Message Service Center (SMSC) servers. In mobile networks, SMSCs are
responsible for routing Short Message Service (SMS) messages to an intended
recipient or storing them until the recipient has come online,” said
the researchers. “The malware parses and extracts SMS message data from the
network traffic, which includes the SMS message contents, the IMSI number, and
the source and destination phone numbers.”
The attackers’ identification of both phone and IMSI
numbers shows they were singling out known individuals. “Sanitized examples
include the names of political leaders, military and intelligence organizations
and political movements at odds with the Chinese government,” is also detailed
in the official report.
MESSAGETAP is a perfect example of how messages can be
intercepted in other layers generally considered safe. It also unveils the
scope of the state actor’s purview and what they are capable of achieving.