A new malware family used by state-linked Chinese hacking group APT41 has been used to compromise telco servers, potentially exposing text messages from military and government officials.
Unveiled by security firm FireEye, the malware was discovered on Linux servers operating as Short Message Service Centres (SMSC) servers. These machines are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient’s device is available.
“Named MessageTap, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts,” FireEye states on its blog.
“APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 to the present day.”
Starting in 2012, Chinese cyber threat group APT41 has carried out numerous state-sponsored espionage activity, as well as financially motivated operations to line its own pockets.
The list of industries which APT41 targets is extensive, though it generally falls in-line with the 5-year economic development plan of the Chinese Government. Big tech, telco and education have been the most recent targets, though it has consistently attempting to manipulate digital currencies for its private financial gain.
In this specific example, FireEye suggests the call detail record (CDR) databases indicates foreign high-ranking individuals of interest to the Chinese intelligence services were the primary targets. With this tool, APT41 was able to capture the content of text messages, as well as the intended recipient.
The revelation does underscore the increasing concern Chinese authorities are illegally monitoring high-profile targets around the world. The US might be somewhat buoyed by the news, as it does as credibility to the case that its allies should build network void of Chinese component and products.
However, as the compromised telcos have not been identified, it is impossible to state conclusively that Chinese equipment was a contributing factor. The compromised telco might not have made use of Chinese equipment, therefore this should not necessarily be viewed as evidence to support the condemnation of Huawei and ZTE.
Unfortunately for the users who might feel they are a target, FireEye has suggested it is incredibly difficult to defend against this type of malware. That said, it does promote the case for end-to-end encryption, a technology which has proven to be unhackable to date.
What remains to be seen is the impact which this incident will have on the on-going trade war which has dogged the economy for months, and the attitude of European Governments towards working with Chinese network equipment manufacturers. Cybercriminals are common place, so it might not cause too many ripples, however it might just reinvigorate the friction which has largely dominated 2019.