Chinese state-sponsored hackers has developed a Linux malware which could steal SMS messages from a telecom network. The malware was to be installed on Short Message Service Center (SMSC) servers which reside inside a mobile operator’s network that deal with SMS communications.
This malware was found on the network of a mobile operator earlier this year by FireEye, a US based cyber-security firm.
The FireEye analysts said that the attackers breached a telco and inserted the malware called MessageTap on the company’s SMSC servers, where it would look for incoming SMS messages, and apply filters.
If the SMS message’s body contained special keywords, the MessageTap would set SMS messages to be stolen later. The keyword includes items of geopolitical interest for Chinese intelligence collection like the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government.
Secondly, MessageTap would also set SMS messages aside if they were sent from or to particular phone numbers, or from or to a device with a particular IMSI unique identifier. The malware tracked thousands of device phone numbers and IMSI codes at a time.
The malware has been linked to a new Chinese hacker group called APT41. This group stood apart from other Chinese groups as they not only perfomr politically-motivated cyber-espionage but also financially-motivated hacks mainly for their private benefits.
The security firm also found evidence on the hacked telco’s network that APT41 interacted with the mobile operator’s call detail record (CDR) database which stores metadata on past phone calls. The malware queried for the CDR records which corresponded to foreign high-ranking personnels of interest to the Chinese intelligence services.
However, the name of the hacked telcom was not revealed and the Reuters journalists said that MessageTap was related to China’s efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers’ movements.
Chinese hacking groups are well known for their hacking techniques, where they hacked a target and stole as much data as they could, to analyze it at later points. But the modus operandi of APT41 shows a carefully planned and very targeted surveillance operation aimed at a very small group of targets.
This is not what was actually practised by the Chinese hacking groups in the past, but it looks like it is normal nowadays as in the case of CCleaner and ASUS Live Update hacks, where Chinese hackers also breached a company just to go after a small subset of its customers.
All these suggests that the Chinese hacking groups are now good at targeted operations and a growing trend of Chinese hackers going after telecom operations.