View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 1, 2019updated 06 Jul 2022 7:06am

Chinese Hacker Group APT41 Harvesting SMS Messages from Inside 4 Telcos

APT's 64-bit ELF data miner at work within at least 4 telcos

By CBR Staff Writer

Security firm Fireye says a “highly advanced” Chinese Advanced Persistent Threat dubbed APT41 is using its intrusions into telecommunications companies to to monitor SMS traffic for specific users and keywords using a previously unseen malware type – with high-ranking military and government officials the primary target.

APT41 is using a new espionage tool that FireEye calls MESSAGETAP. It discovered the malware within a cluster of Linux servers during a 2019 investigation at a telco network provider. The servers were being used to route SMS messages or store them until the recipient comes online (so-called SMSC servers) FireEye said.

FireEye said it has identified four affected telecommunications companies. It did not name either the companies nor which country they are located in.

“MESSAGETAP grants APT41, and by extension, China the ability to obtain highly sensitive data at scale for a wide range of priority targets with little chance of being detected”, FireEye said, with no mitigation possible on the end-user’s side. The APT appears to have been active since 2012, the security firm said Thursday.

Read this: 10 Major Global Telcos “Completely Penetrated” by Chinese APT

The report is the latest suggestion that Chinese APTs have gained deep access to global telecommunications providers: a June 25 report by Boston-based Cybereason detailed the systematic penetration of over 10 global telecommunications companies by a believed Chinese APT, which had extracted over 100GB of data from the primary telco assessed. The group was also using its access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals.

FireEye said: “Both users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information.” (More secure, end-to-end encrypted alternatives to SMS are, of course, widely available, although none are bulletproof.)


MESSAGETAP is a 64-bit ELF (a common standard file format for executables, object code, shared libraries, and core dumps) data miner initially loaded by an installation script. “Once installed, the malware checks for the existence of two files”, FireTap notes, “keyword_parm.txt and parm.txt “. It then attempts to read the configuration files every 30 seconds.  If either exist, the contents are read and XOR decoded.

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

As FireEye explains, the spyware uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. “It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic.”

This includes SMS message contents, the IMSI number and both the source and destination phone numbers.

FireEye added: “The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.

Sanitised examples of the threat group’s targets include the names of “political leaders, military and intelligence organizations and political movements at odds with the Chinese government” FireEye notes.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.