Chinese state-backed hackers are compromising telecom operators to steal text messages

Chinese state-backed hackers are compromising telecom operators to steal text messages

APT41, one of China‘s prolific hacking groups, has developed a new kind of malware that can steal SMS messages from a cellular network.

According to latest research by cybersecurity vendor FireEye, the state-backed threat actor — notorious for a barrage of espionage operations against geopolitical adversaries — developed the capabilities to monitor and save SMS traffic from specific phone numbers for subsequent theft.

The malware — dubbed MESSAGETAP — was discovered on a Short Message Service Center (SMSC) server that was being used by a telecom firm to route SMS messages to intended recipients.

Aside from employed to extract the SMS message content, the malware collects the source and destination phone numbers of targeted individuals, the mobile subscriber identity numbers, and data from call detail record (CDR) databases.

MESSAGETAP works by sniffing SMS traffic and stealing them if the contents contain certain special keywords of geopolitical interest, the messages were being sent from or to particular phone numbers, or specific devices with unique IMSI numbers.

FireEye didn’t disclose the targets of the intrusion campaign, but said four telecom operators were tainted with MESSAGETAP in 2019. Furthermore, it discovered a separate state-backed group injected this malware into four additional cellular service providers’ networks.

“The use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is representative of the evolving nature of Chinese cyber espionage campaigns,” FireEye said.

A resourceful hacking group

Known as Barium or Winnti by other companies, APT41 has been previously linked to various supply chain compromises targeting Asus, NetSarang, and CCleaner utility in recent years.

Although state-sponsored cyber espionage missions are its primary objectives, the group is also known for conducting financially-motivated side operations by using ransomware against game companies and attacking cryptocurrency providers for personal profit.

With its wide range of tools and techniques, APT41 has proven itself to be a “Swiss Army knife” capable of data theft, running extortion campaigns, and surveilling anyone of interest to Beijing.

Indeed, a Reuters report published in September noted that hackers working for the Chinese government had broken into telecoms networks to track the Uyghur Muslim minority and their whereabouts in the country.

APT41’s campaign is the latest evidence of the group’s increasing technical prowess to mount such highly targeted surveillance attacks.

This necessitates organizations to isolate their critical network infrastructure and secure it behind strong firewall barriers so as to prevent unauthorized access to internal systems.

What’s more, the development highlights the risks associated with transmitting sensitive data over SMS, which are not only unencrypted but are also prone to hijacking attacks. Users should therefore consider switching to more secure alternatives — such as Signal and WhatsApp — that enforce end-to-end encryption.

“The threat to organizations that operate at critical information junctures will only increase as the incentives for determined nation-state actors to obtain data that directly support key geopolitical interests remains,” FireEye researchers said.

Read next: Russian aluminum plant driven to cryptocurrency mining by US sanctions