If you take any interest in the nation-state cyberattacks that have picked up apace in recent months, then you’ll be no stranger to China’s attacks on international telecoms networks. As data sources go, telcos are an intel goldmine—personally identifiable information, call metadata, unstructured patterns to mine. Now the country’s state-sponsored hackers have demonstrated just how insecure the open SMS technology built into those telco infrastructures has become. Put simply, if you haven’t already shifted to an encrypted platform, now is the time to do so. Such is the vulnerability of SMS messaging, that attackers can monitor for keywords en masse within the network itself. And, as ever, if one attack has shown the way others will be sure to follow.
Back in June, I reported on research claiming that APT10—one of China’s state-sponsored hacking groups, had compromised the systems of at least ten cellular carriers, targeting specific individuals. Now, a new report from FireEye has outed another campaign along similar lines. Meet APT41—I last reported on this group of “prolific” hackers back in August, when they were exposed—again by FireEye—for “brute force” campaigns against selected industries to collect large volumes of data, from which specific entries could be mined. In that campaign, telcos were front and centre. As one of FireEye’s analysts told me at the time, APT41 was likely targeting “a specific set of individuals, but it’s also interesting for telcos more generally, the role they play, being a first target within new regions that APT41 is moving into.”
And so to this latest research. FireEye has reported that APT41 has been infecting Short Message Service Centre (SMSC) servers within cellular carriers with a malware tool dubbed MESSAGETAP. Those SMSC servers route messages from sender to receiver, they also store the message content itself, enabling it to be forwarded when a recipient connects to a cellular network. To successfully attack this architecture gives open access to the core SMS traffic and content across the entire network.