APT’s 64-bit ELF data miner at work within at least 4 telcos
Security firm Fireye says a “highly advanced” Chinese Advanced Persistent Threat dubbed APT41 is using its intrusions into telecommunications companies to to monitor SMS traffic for specific users and keywords using a previously unseen malware type – with high-ranking military and government officials the primary target.
APT41 is using a new espionage tool that FireEye calls MESSAGETAP. It discovered the malware within a cluster of Linux servers during a 2019 investigation at a telco network provider. The servers were being used to route SMS messages or store them until the recipient comes online (so-called SMSC servers) FireEye said.
FireEye said it has identified four affected telecommunications companies. It did not name either the companies nor which country they are located in.
“MESSAGETAP grants APT41, and by extension, China the ability to obtain highly sensitive data at scale for a wide range of priority targets with little chance of being detected”, FireEye said, with no mitigation possible on the end-user’s side. The APT appears to have been active since 2012, the security firm said Thursday.
The report is the latest suggestion that Chinese APTs have gained deep access to global telecommunications providers: a June 25 report by Boston-based Cybereason detailed the systematic penetration of over 10 global telecommunications companies by a believed Chinese APT, which had extracted over 100GB of data from the primary telco assessed. The group was also using its access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals.
FireEye said: “Both users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information.” (More secure, end-to-end encrypted alternatives to SMS are, of course, widely available, although none are bulletproof.)
MESSAGETAP is a 64-bit ELF (a common standard file format for executables, object code, shared libraries, and core dumps) data miner initially loaded by an installation script. “Once installed, the malware checks for the existence of two files”, FireTap notes, “keyword_parm.txt and parm.txt “. It then attempts to read the configuration files every 30 seconds. If either exist, the contents are read and XOR decoded.
As FireEye explains, the spyware uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. “It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic.”
This includes SMS message contents, the IMSI number and both the source and destination phone numbers.
FireEye added: “The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.
Sanitised examples of the threat group’s targets include the names of “political leaders, military and intelligence organizations and political movements at odds with the Chinese government” FireEye notes.