A HACKING GROUP linked to the Chinese government cracked a major telecoms network in order to monitor the traffic of world leaders.
That's according to security specialists at FireEye Mandiant, who claim that the APT41 group deployed a new malware family in order to pass undetected.
"Named MessageTap, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41's operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions," FireEye said.
APT41 has operated since at least 2012, while MessageTap was first referenced by FireEye in August this year.
The malware was first discovered on a cluster of Linux servers running the telecom company's SMS services. FireEye describes it as a data miner that targets and saves the contents of text messages.
However, FireEye adds, the malware was not compromising the text message service en masse, but targeting particular accounts by phone and IMSI numbers. "If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.
"Similarly, the keyword list contained items of geopolitical interest for Chinese intelligence collection. Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government. If any SMS messages contained these keywords, MessageTap would save the SMS message to a CSV file for later theft by the threat actor."
APT41 also targeted the telecom company's call detail record (CDR) databases to query, save and steal records in the same intrusion. Again, the CDR data corresponded to high-ranking individuals around the world of political interest to the Chinese state.
"After loading the keyword and phone data files, MessageTap begins monitoring all network connections to and from the server. It uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers.
"It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic:
SMS message contents;
The IMSI number;
The source and destination phone numbers."
And FireEye warned that attacks on "upstream data entities", such as ISPs and telecoms operators, by Chinese state-sponsored entities have increased since 2017 because successful attacks enable groups to acquire a wide-range of sensitive information on high-value individuals and groups.
During 2019, furthermore, FireEye observed four telecoms organisations being targeted by APT41, and for other telecoms companies targeted by other groups linked to the Chinese state.
"Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance," FireEye warned.
It's not been disclosed which company supplied the compromised hardware, although on questioning by the INQUIRER a FireEye spokesman said it wasn't provided by Huawei. µ
Firm's first high-end speaker gets the thumbs up from us
Yes. Yes you can
A fantastic ultraportable that's almost devoid of innovation
Screen if you want to go faster