MessageTap shows China doesn't need Huawei's help to hack telcos

Nick Wood
By Nick Wood

Oct 31, 2019

via Flickr © Chase Elliott Clark (CC BY 2.0)

via Flickr © Chase Elliott Clark (CC BY 2.0)

  • State-sponsored hacker group compromised Linux SMS server
  • Once in, they were able to save and search through text messages
  • Malware potentially used to track high-ranking officials of interest to China

Who needs Huawei's help to snoop on communications when you've got MessageTap?

That's the name of a new malware family detailed in a report by FireEye. According to the cyber security experts, it is used to track and save SMS messages sent and received by targeted individuals, or messages containing specific keywords.

FireEye said MessageTap was developed by APT41, a hacker group sponsored by – and known to have carried out operations on behalf of – the Chinese government.

The malware was discovered on an undisclosed telco's network; more specifically on Linux-based short message service centre (SMSC) servers. These are used to route SMS messages to a recipient, or store them until the recipient has come online.

via FireEye, October 2019

via FireEye, October 2019

Amid all the scaremongering about Huawei installing backdoors in its equipment at the behest of the Communist Party, the emergence of MessageTap and its use by state-sponsored hackers to compromise Linux-based servers shows that actually, governments have other, much more subtle ways of spying on communications.

While FireEye didn't reveal how MessageTap came to be installed on the SMSC servers in the first place, APT41 has a strong track record of successfully gaining access to networks via phishing emails.

"Once in a victim organisation, APT41 can leverage more sophisticated TTPs (tactics, techniques and procedures) and deploy additional malware," FireEye said, in a separate report about the hacker group. "For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits."

It's worth reiterating at this point, that when a government has a well-funded, tenacious bunch of hackers at its disposal, it doesn't necessarily need to phone up Huawei founder Ren Zhengfei and remind him to bung a back door on his latest router.

FireEye said MessageTap has configuration files preloaded with phone numbers, IMSI numbers, and keywords. Any text messages that include these keywords, or have been sent from phone numbers or IMSI numbers contained in those files, are stored and can be retrieved later by the hacker.

Accessing telco networks "enables the Chinese intelligence services an ability to obtain sensitive data at scale for a wide range of priority intelligence requirements," FireEye noted.

Rather than texts, many people prefer to use messaging apps these days, some of which offer end-to-end encryption, which mitigates the risk of being tracked by MessageTap. However, lots of organisations use SMS for two-factor authentication, and this could potentially give attackers access to the target's various online accounts.

"Users and organisations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information," FireEye said.

Indeed, the alleged use of triad gangs to intimidate protestors in Hong Kong shows what the depths to which the authorities are prepared to stoop in order to quell civil unrest. It would come as a shock to no one if they were also paying hackers to help them keep tabs on known protestors.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.