Chinese government-linked hackers are monitoring mobile text messages of specific users, and for certain keywords as part of a new surveillance campaign meant to track individuals in a vast trove of telecommunication data, according to findings published Thursday.
APT41, a group that carries out state-sponsored cyber-espionage on Beijing’s behalf, this summer compromised an unnamed telecommunications provider to monitor the messaging activity of high-ranking individuals of interest to the Chinese government, according to FireEye.
Chinese hackers primarily have been scanning for military or intelligence keywords, tracking how subjects are reacting to protests, such as those in Hong Kong, and analyzing victims’ opinions of world leaders, Steve Stone, advanced practices director at FireEye, told CyberScoop.
During the same intrusions into the unnamed phone company, APT41 also sought individuals’ records from call detail record (CDR) databases, which provide metadata such as the time the calls were made, the phone numbers involved, and the length of the conversations.
The findings prove that Chinese hackers, while still focusing on international property theft, also prioritize targeted surveillance, researchers said.
The timing of the attack roughly coincided with an “indiscriminate” iPhone hack aimed at the Uighur community, a Muslim population under mass surveillance by the Chinese, and growing demonstrations in Hong Kong, where millions of people have rallied against Beijing.
“APT41 is able to do very specific targeting at scale,” said Stone, who previously served as a senior analyst in the Department of Defense.
“They’re able to say ‘let’s take potentially thousands of numbers, and look for those and see when those numbers start having these specific kind of keyword conversations and then pull that out.”
FireEye declined to identify the surveillance targets. Stone said only that the hacked telecom was located in a country that is a “strategic competitor” to China.
Dubbed “MessageTap,” the backdoor malware is a 64-bit ELF data miner that has recently been discovered installed on a Linux-based Short Message Service Center (SMSC) server of an unnamed telecommunications company.
In mobile telephone networks, SMSC servers act as a middle-man service responsible for handling the SMS operations by routing messages between senders and recipients.
Since SMSes are not designed to be encrypted, neither on transmitting nor on the telecom servers, compromising an SMSC system allows attackers to monitor all network connections to and from the server as well as data within them.
How Does MessageTap Malware Work?
MessageTap uses the libpcap library to monitor all SMS traffic and then parses the content of each message to determine IMSI and phone numbers of the sender and the recipient.
According to the researchers, hackers have designed MessageTap malware to filter and only save messages:
- sent or received by specific phone numbers,
- containing certain keywords, or
- with specific IMSI numbers.
For this, MessageTap relies on two configuration files provided by attackers — keyword_parm.txt and parm.txt — that contain a list of targeted phone numbers, IMSI numbers, and keywords linked to “high-ranking individuals of interest to the Chinese intelligence services.”
“Both files are deleted from disk once the configuration files are read and loaded into memory. After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the server,” the researchers said in its report released today.
“The data in keyword_parm.txt contained terms of geopolitical interest to Chinese intelligence collection.”
If it finds an SMS message text of interest, the malware XORs its content and saves it to CSV files for later theft by the threat actor.
According to the researchers, “the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain” is especially “critical for highly targeted individuals such as dissidents, journalists, and officials that handle highly sensitive information.”
Besides this, the APT41 hacking group has also been found stealing call detail records (CDR) corresponded to high-ranking foreign individuals during this same intrusion, exposing metadata of calls, including the time of the calls, their duration, and the source and destination phone numbers.
Chinese hackers targeting telecommunications companies isn’t new. In this year itself, the APT41 hacking group targeted at least four telecommunications entities, and separate Chinese-suspected state-sponsored groups also observed hitting four additional telecommunications organizations.
According to the FireEye researchers, this trend will continue and more such campaigns will be discovered soon, and therefore to mitigate a degree of risks, targeted organisations should consider deploying an appropriate communication program that enforces end-to-end encryption.
APT41’s newest espionage tool, MESSAGETAP, was discovered during a 2019 investigation at a telecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers. In mobile networks, SMSCs are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient has come online. With this background, let’s dig more into the malware itself.
MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds. If either exist, the contents are read and XOR decoded with the string:
- Interestingly, this XOR key leads to a URL owned by the European Telecommunications Standards Institute (ETSI). The document explains the Short Message Service (SMS) for GSM and UMTS Networks. It describes architecture as well as requirements and protocols for SMS.
These two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save contents of SMS messages.
- The first file (parm.txt) is a file containing two lists:
- imsiMap: This list contains International Mobile Subscriber Identity (IMSI) numbers. IMSI numbers identify subscribers on a cellular network.
- phoneMap: The phoneMap list contains phone numbers.
- The second file (keyword_parm.txt) is a list of keywords that is read into keywordVec.
Both files are deleted from disk once the configuration files are read and loaded into memory. After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the server. It uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic:
- SMS message contents
- The IMSI number
- The source and destination phone numbers
The malware searches the SMS message contents for keywords from the keywordVec list, compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list.
If the SMS message text contains one of the keywordVec values, the contents are XORed and saved to a path with the following format:
The malware compares the IMSI number and phone numbers with the values from the imsiMap and phoneMap lists. If found, the malware XORs the contents and stores the data in a path with the following format:
If the malware fails to parse a message correctly, it dumps it to the following location:
Significance of Input Files
The configuration files provide context into the targets of this information gathering and monitoring campaign. The data in keyword_parm.txt contained terms of geopolitical interest to Chinese intelligence collection. The two lists phoneMap and imsiMap from parm.txt contained a high volume of phone numbers and IMSI numbers.
For a quick review, IMSI numbers are used in both GSM (Global System for Mobiles) and UMTS (Universal Mobile Telecommunications System) mobile phone networks and consists of three parts:
- Mobile Country Code (MCC)
- Mobile Network Code (MNC)
- Mobile Station Identification Number (MSIN)
The Mobile Country Code corresponds to the subscriber’s country, the Mobile Network Code corresponds to the specific provider and the Mobile Station Identification Number is uniquely tied to a specific subscriber.
Figure 2: IMSI number description
The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.
Similarly, the keyword list contained items of geopolitical interest for Chinese intelligence collection. Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government. If any SMS messages contained these keywords, MESSAGETAP would save the SMS message to a CSV file for later theft by the threat actor.
In addition to MESSAGETAP SMS theft, FireEye Mandiant also identified the threat actor interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services. Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages.
The use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is representative of the evolving nature of Chinese cyber espionage campaigns observed by FireEye. APT41 and multiple other threat groups attributed to Chinese state-sponsored actors have increased their targeting of upstream data entities since 2017. These organizations, located multiple layers above end-users, occupy critical information junctures in which data from multitudes of sources converge into single or concentrated nodes. Strategic access into these organizations, such as telecommunication providers, enables the Chinese intelligence services an ability to obtain sensitive data at scale for a wide range of priority intelligence requirements.
In 2019, FireEye observed four telecommunication organizations targeted by APT41 actors. Further, four additional telecommunications entities were targeted in 2019 by separate threat groups with suspected Chinese state-sponsored associations. Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance. For deeper analysis regarding recent Chinese cyber espionage targeting trends, customers may refer to the FireEye Threat Intelligence Portal. This topic was also briefed at FireEye Cyber Defense Summit 2019.
FireEye assesses this trend will continue in the future. Accordingly, both users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information. Appropriate safeguards such as utilizing a communication program that enforces end-to-end encryption can mitigate a degree of this risk. Additionally, user education must impart the risks of transmitting sensitive data over SMS. More broadly, the threat to organizations that operate at critical information junctures will only increase as the incentives for determined nation-state actors to obtain data that directly support key geopolitical interests remains.
- File name: mtlserver
- MD5 hash: 8D3B3D5B68A1D08485773D70C186D877
*This sample was identified by FireEye on VirusTotal and provides an example for readers to reference. The file is a less robust version than instances of MESSAGETAP identified in intrusions and may represent an earlier test of the malware. The file and any of its embedded data were not observed in any Mandiant Consulting engagement*