U.S.-based cybersecurity firm FireEye revealed that the Chinese hacker group APT41 has been backed by the state in compromising several major telecom firms and retrieving call records from the carriers’ customers whom they deemed as targets, intercepting text messages as well as call records worldwide.
The report did not name the telecom companies. The hackers searched call and text records for specific keywords, including the names of “high-value” targets such as the names of politicians, intelligence organizations, and political movements “at odds with the Chinese government,” according to the report.
MESSAGETAP
FireEye published its study on text message security on Oct. 31, focusing on a new tool that APT41 is using: a malware named MESSAGETAP, to intercept people’s text messages worldwide.Text messages are also called short message service (SMS) messages, referring to the plain word messages that are sent and received by cellphones.
The report explained that APT41 hackers installed MESSAGETAP on the Short Message Service Center (SMSC) servers of the targeted telecom carriers. The malware can then monitor all network connections to and from the server.
MESSAGETAP can intercept all SMS messaging traffic, which includes the content of the messages; their cellphones’ unique identifiers, known as international mobile subscriber identity (IMSI) number; and the source and destination phone numbers.
Furthermore, the hackers can set up keywords in MESSAGETAP, allowing the malware to filter the content that the hackers are looking for.
During the investigation, FireEye found out that hackers searched keywords such as the names of “foreign high-ranking individuals of interest to the Chinese intelligence services,” as well as political leaders, military and intelligence organizations, and political movements.
APT41’s Targets
FireEye previously released a full report on APT41 in August, titled “Double Dragon: APT41, a dual espionage and cyber crime operation.”“Double” refers to the fact that “APT41 is a Chinese state-sponsored espionage group that is also conducting financially motivated activity for personal gain,” since 2012. It did not provide further details about who has hired APT41’s services.
One particular pattern emerged: “APT41 targets industries in a manner generally aligned with China’s Five-Year economic development plans” and Beijing’s ten-year’s plan “Made in China 2025,” according to the report.
The hacker group also gathers intelligence ahead of important events, such as mergers and acquisitions (M&A) and political events.
APT41 targets healthcare (including medical devices and diagnostics), pharmaceuticals, retail, software companies, telecoms, travel services, education, video games, and virtual currencies, according to the report.
Purpose and Tools
FireEye found out that APT41 focused on stealing intellectual property from those targeted countries. But beginning in mid-2015, the hackers “have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft.”The hacker group uses “over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group,” the report said.
In order for a firm to protect itself from potential attacks from APT41, FireEye warned firms not to open unfamiliar emails: “The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.”
