A China-linked threat group targets the servers of telecommunications companies with a new piece of malware designed to spy on SMS traffic within telcos’ networks, FireEye revealed. The new malware, dubbed MESSAGETAP, has been used by a Chinese threat actor tracked by FireEye as APT41. The group has been active since at least 2012 and is known to be focused on both cyber espionage and financially-motivated operations.
MESSAGETAP espionage tool was discovered earlier this year during an investigation within a cluster of Linux servers at an unnamed telecommunications network provider. These servers were used as Short Message Service Center (SMSC) servers, responsible for routing SMS messages to an intended recipient or storing them until the recipient has come online.
According to FireEye, MESSAGETAP is a 64-bit ELF data miner that is able to monitor all network connections in an effort to identify and extract SMS messages. The malware can monitor not only the content of SMS messages, but also IMSI numbers and the phone numbers of both the sender and the recipient. MESSAGETAP is loaded by an installation script and once installed, it checks for the existence of two configuration files: keyword_parm.txt and parm.txt containing instructions on what messages should be extracted. Once these files are read and loaded into memory they are deleted from the disc.
The malware inspects the SMS message contents for keywords from the predefined list (keywordVec list), then compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list. If a message contains a keyword from the predefined list or an IMSI or phone number that is of interest to the hackers passes through the targeted mobile operator’s servers, the content of the message is saved to a local CSV file that the attackers can retrieve later. APT41 primarily has been searching for keywords related to the names of political leaders, military and intelligence organizations and political movements that oppose the Chinese government.
The hackers have been not only spying on SMS messages, but also queried call detail record (CDR) databases in order to save and steal records related to “foreign high-ranking individuals of interest to the Chinese intelligence services”.
“Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages,” the researchers said.
Overall in 2019, FireEye researchers said they observed four telecoms firms targeted by APT41 group, and another four telcos' were targeted by separate China-linked threat groups.
“Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance,” the researchers concluded.