A state-sponsored tool most likely used by Chinese advanced persistent threat group APT41 was discovered inside the Linux servers of an undisclosed telecom company, surveilling incoming and outgoing SMS messages.
FireEye Mandiant recently identified a new malware family called MESSAGETAP, which was already deployed in the telecom company’s infrastructure. The term “advanced persistent threat group” is usually reserved for hacking groups employed or used by state actors.
The researchers said the tool deployed by APT41 supported Chinese espionage efforts, but the group has financial motives as well. It’s unclear how long the malware was operating before it was found, but a 2019 investigation revealed it in a cluster of Linux servers.
“Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers. In mobile networks, SMSCs are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient has come online,” said the researchers. “The malware parses and extracts SMS message data from the network traffic, which includes the SMS message contents, the IMSI number, and the source and destination phone numbers.”
The attackers’ identification of both phone and IMSI numbers shows they were singling out known individuals. “Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government,” is also detailed in the official report.
MESSAGETAP is a perfect example of how messages can be intercepted in other layers generally considered safe. It also unveils the scope of the state actor’s purview and what they are capable of achieving.