Chinese hackers create Messagetap malware that can steal SMS from operator networks

FireEye experts discovered the messagetap malware, which can steal sms and mobile networks. Chinese government hackers created it.

The malware is designed for Linux machines and was created to be hosted on SMSC (Short Message Service Center) servers, which are responsible for the operation of the short message service in the networks of telecom operators.

Malware helps to “listen” to SMS messages by applying a set of specific filters to them.

“FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group). APT41’s newest espionage tool, MESSAGETAP, was discovered during a 2019 investigation at a telecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers”, — report FireEye researchers.

Researchers discovered Messagetap on an unnamed mobile carrier’s network earlier this year. It is not specified ow exactly the infection occurred.

Malware is able to “delay” SMS messages for subsequent theft if the message body contains certain keywords. According to FireEye, among these keywords were various objects of geopolitical interest for Chinese special services, including the names of political leaders, the names of military and intelligence organizations, as well as political movements.

Read also: Chinese hackers create a new backdoor for MSSQL servers

Additionally, the malware is interested in messages sent to or from certain numbers, as well as specific devices, based on their IMSI. At the time of discovery, it tracked thousands of phone numbers and IMSI at the same time.

Specialists associate Messagetap with the relatively “young” Chinese hacker group APT41. Earlier, FireEye experts wrote that this group is different from others, since in addition to political espionage, it also practices operations that have clear financial motives (they are probably carried out by members of the group for personal purposes).

“APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 to the present day”, — report FireEye specialists.

Analysts write that in the network of the compromised mobile operator, the attackers also interacted with the call detail record database (CDR, logs of the operation of telecommunication equipment, including detailed information about calls). Hackers requested CDRs matching foreign dignitaries of interest to Chinese intelligence.

Although FireEye experts did not disclose the name of the affected company, Reuters reportersreport that MessageTap’s activity is related to the efforts of the Chinese authorities to track the Muslim minority, Uighurs living mainly in Xinjiang province.