Fireye catches APT41 spying for the Chinese on Linux servers.
State-sponsored espionage and surveillance activities have always been a crucial part of a government’s intelligence arm. In relation to this, Fireye Mandiant has discovered a malware termed MessageTap which is being used by China to monitor the text messages of certain high-value individuals.
Developed by APT41, the malware happens to be a 64 bit ELF data miner which was found installed on a Linux-based Short Message Service Center (SMSC) server of a telecommunication company whose identity still remains a mystery.
The important of the server can be judged by the fact that is used as per standards for handling the SMS between both the senders and recipients and that too unencrypted. Hence, if one can access it, they can basically access the messages sent between both parties.
Delving into the details of how it operates, one is presented with a simple yet intriguing process. Firstly, it uses a library called libpcap to monitor the messages. Once done, the content of these messages is parsed through which the International mobile subscriber identity (IMSI) of both users is revealed.
As the IMSI number is unique, it helps identify both the sender and the recipient. Moreover, alongside, the phone numbers of both parties are also determined in the process. However, the interest of these hackers doesn’t lie merely in communication between common people. In fact, they have configured the malware to specifically filter messages that satisfy a range of criteria which includes those from specific phone numbers, those with specific IMSI numbers or those that may certain keywords.
The golden question arising from an analysis of this is that what is the criteria for these filters? Turns out, MessageTap obtains its information from two files given by the attackers named keyword_parm.txt and parm.txt which contains the identification information of those that are given special attention by the Chinese Intelligence.
“Examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government” as explained by Fireeye.
Finally, if any content is found originating from someone on these lists, it is saved in a CSV file that can be exported later by the attackers. The key takeaway from this is that such attacks have been seen before and will stay for the future. For example, APT41 has also been known to target at least 4 other telecommunication groups earlier this year which sheds light on the latest in state intelligence practices.
The solution to guard against such attacks largely lies in implementing encryption which would make any information obtained useless even if accessed. Furthermore, any company handling sensitive data should employ cybersecurity teams who recognize such threats amidst all the noise that may surround this particular space.