Hackers linked to China compromised telecoms network to monitor world leaders' messages

Chinese intelligence targeting 'upstream data entities', such as telecoms companies, in order to compromise world leaders' communications

APT41, a hacking group linked to the Chinese government, cracked a major telecoms network in order to monitor the traffic of world leaders.

That's according to security specialists at FireEye Mandiant, who claim that the group deployed a new malware family in order to pass undetected.

"Named MessageTap, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41's operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions," FireEye revealed today.

APT41 has operated since at least 2012, while MessageTap was first referenced by FireEye in August this year.

The tool was deployed by APT41 in a telecoms network provider in support of Chinese espionage efforts

The malware was first discovered on a cluster of Linux servers running the telecom company's SMS services. FireEye describes it as a data miner that targets and saves the contents of text messages.

However, FireEye adds, the malware was not compromising the text message service en masse, but targeting particular accounts by phone and IMSI numbers. "If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.

"Similarly, the keyword list contained items of geopolitical interest for Chinese intelligence collection. Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government. If any SMS messages contained these keywords, MessageTap would save the SMS message to a CSV file for later theft by the threat actor."

The keyword list contained items of geopolitical interest for Chinese intelligence collection

APT41 also targeted the telecom company's call detail record (CDR) databases to query, save and steal records in the same intrusion. Again, the CDR data corresponded to high-ranking individuals around the world of political interest to the Chinese state.

"After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the server. It uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers.

"It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic:

SMS message contents;
The IMSI number;
The source and destination phone numbers."

And FireEye warned that attacks on "upstream data entities", such as ISPs and telecoms operators, by Chinese state-sponsored entities have increased since 2017 because successful attacks enable groups to acquire a wide-range of sensitive information on high-value individuals and groups.

During 2019, furthermore, FireEye observed four telecoms organisations being targeted by APT41, and for other telecoms companies targeted by other groups linked to the Chinese state.

Attacks on "upstream data entities" by Chinese state-sponsored entities have increased since 2017

"Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance," FireEye warned.

It's not been disclosed which company supplied the compromised hardware, although on questioning by Computing a FireEye spokesman said it wasn't provided by Huawei.

Telecoms hardware has been the subject of claims and counter-claims over security over the past year.

Huawei and ZTE, in particular, have been subject to US claims over security. The Huawei Cyber Security Evaluation Centre in the UK has also questioned the end-to-end security of Huawei telecoms hardware products.

Huawei has also been accused of aggressive industrial espionage, tacitly supported by China's government.