An Israeli engineer is searching fake users on social media at his office in the Israeli city of Bnei Brak near Tel Aviv on January 23, 2019. (JACK GUEZ/AFP via Getty Images)

Chinese State-Sponsored Hackers Intercept Text Messages Worldwide: Cyber Report

U.S.-based cybersecurity firm FireEye revealed that the Chinese hacker group APT41 has been backed by the state in compromising several major telecom firms and retrieving call records from the carriers’ customers whom they deemed as targets, intercepting text messages as well as call records worldwide.

The report did not name the telecom companies. The hackers searched call and text records for specific keywords, including the names of “high-value” targets such as the names of politicians, intelligence organizations, and political movements “at odds with the Chinese government,” according to the report.

This is not the first time that Chinese state-sponsored hackers were reported to have intercepted international cell phone text messages. U.S.-based cybersecurity firm Cybereason released a report on Jun. 25, discussing how hacker group APT10 conducted persistent attacks since 2017 on global telecommunications providers. Cybereason concluded that APT10 operates “on behalf of the Chinese Ministry of State Security,” China’s chief intelligence agency. They were to obtain call detail records (CDR), which includes call time, duration, the involved phone numbers, and geolocation.

MESSAGETAP

FireEye published its study on text message security on Oct. 31, focusing on a new tool that APT41 is using: a malware named MESSAGETAP, to intercept people’s text messages worldwide.

Text messages are also called short message service (SMS) messages, referring to the plain word messages that are sent and received by cellphones.

The report explained that APT41 hackers installed MESSAGETAP on the Short Message Service Center (SMSC) servers of the targeted telecom carriers. The malware can then monitor all network connections to and from the server.

MESSAGETAP can intercept all SMS messaging traffic, which includes the content of the messages; their cellphones’ unique identifiers, known as international mobile subscriber identity (IMSI) number; and the source and destination phone numbers.

Furthermore, the hackers can set up keywords in MESSAGETAP, allowing the malware to filter the content that the hackers are looking for.

During the investigation, FireEye found out that hackers searched keywords such as the names of “foreign high-ranking individuals of interest to the Chinese intelligence services,” as well as political leaders, military and intelligence organizations, and political movements.

FireEye said they observed four telecommunication organizations being targeted by APT41 in 2019.

APT41’s Targets

FireEye previously released a full report on APT41 in August, titled “Double Dragon: APT41, a dual espionage and cyber crime operation.”

“Double” refers to the fact that “APT41 is a Chinese state-sponsored espionage group that is also conducting financially motivated activity for personal gain,” since 2012. It did not provide further details about who has hired APT41’s services.

One particular pattern emerged: “APT41 targets industries in a manner generally aligned with China’s Five-Year economic development plans” and Beijing’s ten-year’s plan “Made in China 2025,” according to the report.

The hacker group also gathers intelligence ahead of important events, such as mergers and acquisitions (M&A) and political events.

“Made in China 2025,” first launched in 2015, is an economic blueprint for China to become the dominant manufacturing nation in the world in 10 key high-technology verticals, such as pharmaceuticals, artificial intelligence, and robotics.

APT41 targets healthcare (including medical devices and diagnostics), pharmaceuticals, retail, software companies, telecoms, travel services, education, video games, and virtual currencies, according to the report.

APT41 has targeted firms in those sectors located in the United States, UK, France, Italy, Holland, Switzerland, Turkey, Japan, South Korea, Singapore, India, Myanmar, Thailand, and South Africa.

Purpose and Tools

FireEye found out that APT41 focused on stealing intellectual property from those targeted countries. But beginning in mid-2015, the hackers “have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft.”

The hacker group uses “over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group,” the report said.

In order for a firm to protect itself from potential attacks from APT41, FireEye warned firms not to open unfamiliar emails: “The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.”