Based on a new report from cybersecurity firm FireEye, it now appears that Chinese hackers are engaged in a new form of cyber espionage that involves stealing SMS messages and phone records from telecommunications companies around the world. Their primary target appears to be high-ranking government officials, raising new concerns worldwide that Chinese intelligence agencies have found a new way to track and monitor the communications of top diplomats and foreign leaders on a broad range of sensitive diplomatic matters. The primary group of Chinese hackers – known as APT41 – is using a form of malware known as MessageTap.
APT41 Chinese hackers target telecom companies
Researchers at FireEye discovered the new form of MessageTap malware during a 2019 investigation into a cluster of Linux servers at an undisclosed telecom company. The new malware, which needs to get loaded onto these servers before it can go to work, intercepts network traffic to read SMS messages, pick out International Mobile Subscriber Identity (IMSI) numbers, and access both the source and destination phone numbers of phone calls. Overall, says FireEye, the APT41 Chinese hackers targeted four different telecoms in the first stage of their attacks. However, FireEye warned that the same style of attack could be carried out on just about any telecom in the world.
One unique aspect of the MessageTap malware is that it is designed to intercept the communications of only “targeted” individuals, such as political dissidents, journalists, and top diplomatic officials. Thus, the Chinese hackers do not appear to be looking to read the text messages of everyone – just the people that the Chinese state has designated for surveillance. Security researchers say the MessageTap malware was configured by the threat group to search for keywords of interest to Chinese intelligence agencies, as well as specific phone numbers of certain individuals “of geopolitical interest” to the Chinese state. The malware would check each message to see if it contained a phone number or IMSI number that matched a predefined list. This is why this malware attack from the Chinese hackers can best be described as a form of “cyber espionage.” The malware hunts for specific phone numbers or keywords, and when it finds them, saves the SMS message to a CSV file for later exfiltration by the hackers.
Chinese hackers move upstream
Overall, this new form of malware attack hints at the changing strategy of known Chinese threat actors. Based on the FireEye report, as well as a June 2019 report from Boston cybersecurity firm Cybereason, it appears that Chinese hackers are moving “upstream” to intercept messages as they are being sent and received. The Cybereason report found that Chinese hackers had penetrated more than10 global telecoms in order to track the movements of high-profile individuals. This, too, appears to be the modus operandi of the Chinese hackers covered by the FireEye report.
In an upstream attack, the hackers go after the telecoms, and not the actual organization, company or government agency under surveillance that is “downstream.” In other words, instead of trying to hack into the computer network of a top U.S. government agency in order to spy on trade discussions involving China, they would instead hack into the servers of telecom providers being used by officials at those agencies. As FireEye noted in a tweet, the Chinese hackers are “not targeting specific processing software “ – they are “processing SMS network traffic at the provider level.” Presumably, this is due to greater ease of access to desired communications flows. A government agency, for example, might encrypt all sensitive communications, but a telecom provider might rely on unencrypted data for call detail records.
The blurring of the line between cyber espionage and cybercrime
The FireEye researchers also discovered another disturbing trend with the Chinese hackers: a blurring of the line between cyber espionage carried out for the Chinese state and a broad range of other cybercrime activities that are financially motivated and carried out entirely for financial gain. According to FireEye, Chinese hackers such as APT41 are now engaging in “swindling” activities using malware that was originally designed for spying and cyber espionage. For example, they are now attacking video game companies and cryptocurrency providers. At the Black Hat security conference in Las Vegas, FireEye detailed how APT41 Chinese hackers broke into the production environment of a video gaming company, so as to manipulate the amount of virtual currency available to them. They are also using ransomware to shake down companies in exchange for cryptocurrency ransom payments.
Often, says FireEye, Chinese hacking groups are combining cyber espionage and cybercrime activities on a daily basis. In the past, Chinese hackers might have carried out and completed an espionage campaign, and then engaged in cybercrime activities during a lull in cyber espionage activity. Now, they might carry out a cyber espionage attack in the morning, and in the afternoon, carry out a ransomware attack in the gaming sector. FireEye characterizes this as “moonlighting for personal gain.”
The most notorious of these Chinese hackers is APT 41 (where APT stands for “Advanced Persistent Threat”), which has been active since at least 2012. As FireEye notes, these Chinese hackers are “relentless” – even when they have been ousted from a network under attack, they will return quickly with a new tactic. While APT41 has not been linked to any stolen intellectual property since 2015, they have been traced back to Chinese cyber espionage campaigns since 2012.
Implications of Chinese hackers spying on telecom traffic
It is unclear at this moment whether the Chinese cyber espionage campaign is primarily looking for political dissidents and journalists who are opposed to the Chinese state, or for top foreign officials and diplomats. Another concern is that the focus might instead be key geopolitical topics, such as the ongoing trade dispute between China and the United States, or top-secret discussions involving Chinese tech giant Huawei. Whatever the primary target of the Chinese hackers might be, the newly discovered attacks on telecom providers should be a wakeup call for all network providers that the Chinese surveillance state is now going worldwide and that they must take much greater effort to protect their network traffic from prying eyes.