Chinese Hacker Group APT41 Harvesting SMS Messages from Inside 4 Telcos

   

01 Nov 2019

Chinese Hacker Group APT41 Harvesting SMS Messages from Inside 4 Telcos

CBR

APT’s 64-bit ELF data miner at work within at least 4 telcos

Security firm Fireye says a “highly advanced” Chinese Advanced Persistent Threat dubbed APT41 is using its intrusions into telecommunications companies to to monitor SMS traffic for specific users and keywords using a previously unseen malware type – with high-ranking military and government officials the primary target.

APT41 is using a new espionage tool that FireEye calls MESSAGETAP. It discovered the malware within a cluster of Linux servers during a 2019 investigation at a telco network provider. The servers were being used to route SMS messages or store them until the recipient comes online (so-called SMSC servers) FireEye said.

FireEye said it has identified four affected telecommunications companies. It did not name either the companies nor which country they are located in.

“MESSAGETAP grants APT41, and by extension, China the ability to obtain highly sensitive data at scale for a wide range of priority targets with little chance of being detected”, FireEye said, with no mitigation possible on the end-user’s side. The APT appears to have been active since 2012, the security firm said Thursday.

The report is the latest suggestion that Chinese APTs have gained deep access to global telecommunications providers: a June 25 report by Boston-based Cybereason detailed the systematic penetration of over 10 global telecommunications companies by a believed Chinese APT, which had extracted over 100GB of data from the primary telco assessed. The group was also using its access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals.

FireEye said: “Both users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information.” (More secure, end-to-end encrypted alternatives to SMS are, of course, widely available, although none are bulletproof.)

APT41’s MESSAGETAP

MESSAGETAP is a 64-bit ELF (a common standard file format for executables, object code, shared libraries, and core dumps) data miner initially loaded by an installation script. “Once installed, the malware checks for the existence of two files”, FireTap notes, “keyword_parm.txt and parm.txt “. It then attempts to read the configuration files every 30 seconds.  If either exist, the contents are read and XOR decoded.

As FireEye explains, the spyware uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. “It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic.”

This includes SMS message contents, the IMSI number and both the source and destination phone numbers.

FireEye added: “The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.

Sanitised examples of the threat group’s targets include the names of “political leaders, military and intelligence organizations and political movements at odds with the Chinese government” FireEye notes. 
 

View all News
Loading

Supporters & Partners

OFFICIAL GOVERNMENT CYBERSECURITY PARTNER

Dubai Electronic Security Center Logo

dp

OFFICIAL DISTRIBUTION PARTNER

ISPIRE

OFFICIALLY SUPPORTED BY

Telecommunications Regulatory Authority

Official Smart City Partner

Strategic Sponsors & Partners

Strategic AI Partner

Huawei_gisec

Strategic Sponsor


sap

IOT Partner


Vodafone_iotx

 

Strategic Partner


cb

 

Official Digital Partner

etisalat_gisec

Strategic Partner

Strategic Partner

tahaluf

Platinum & Diamond sponsors

Platinum Sponsor

pp

Platinum Sponsor

BLUVECTOR

Diamond Sponsor

fe

Gold sponsors


cs
 

gold sponsor

know

emailauth


so

HumanFirewall

thales

Silver sponsors

cf

df

Education Partner

isc2

ras

vf

GISEC

west

GISEC

nedaa

oracle_gisec

crest

Industry & Association Partner

Germany Association Partner

TeleTrusT

India Pavilion Partner

Logo

Thank you to Exhibitors

VIEW MORE EXHIBITORS
 

Thank you to our Media Partners