Nation-sponsored hackers have a new tool to drain telecom providers of huge amounts of SMS messages at scale, researchers said.
Dubbed "Messagetap" by researchers from the Mandiant division of security firm FireEye, the recently discovered malware infects Linux servers that route SMS messages through a telecoms network. Once in place, Messagetap monitors the network for messages containing either a preset list of phone or IMSI numbers or a preset list of keywords.
Messages that meet the criteria are then XOR encoded and saved for harvesting later. FireEye said it found the malware infecting an undisclosed telecom provider. The company researchers said the malware is loaded by an installation script, but didnt otherwise explain how infections take place.
Targeting upstream data sources
The security firm said Messagetap belongs to APT41, one of several advanced persistent threat hacking groups that researchers say is sponsored by the Chinese government. The group is apparently using the malware to spy on high-ranking military and government officials. In a report, the researchers said the malware allows Chinas intelligence services to obtain a wide range of sensitive data at scale.
“The use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is representative of the evolving nature of Chinese cyber espionage campaigns observed by FireEye,” the researchers wrote. “APT41 and multiple other threat groups attributed to Chinese state-sponsored actors have increased their targeting of upstream data entities since 2017. These organizations, located multiple layers above end-users, occupy critical information junctures in which data from multitudes of sources converge into single or concentrated nodes.”
Messagetaps 64-bit Linux executable contains two configuration files. The first, parm.txt
, contains lists of IMSI numbers and phone numbers of interest while keyword_parm.txt
lists keywords. Both files are deleted from disk once loaded into memory. After that, Messagetap monitors all traffic passing over the network and looks for messages that match the criteria from the configuration text files. Messages sent to or from the phone or IMSI numbers are collected. Messages containing the keywords are also gathered. The malware parses all traffic at the Ethernet and IP layers and continues parsing protocol layers including SCTP, SCCP, and TCAP.
Researchers recovered the contents of the configuration files and found a “high volume of phone numbers and IMSI numbers.” Thursdays report continued:
The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV filRead More – Source