US-based cyber security vendor FireEye Mandiant said it discovered that APT41, one of China’s most prolific hacking groups, has developed a new malware that can compromise cellular networks by monitoring and saving SMS traffic from specific phone numbers.
Named MESSAGETAP, the malware was deployed by APT41 in a telecoms network provider in support of Chinese espionage activities, it said.
MESSAGETAP works by tracking SMS traffic and extracting message content that contains certain keywords of geopolitical interest. In addition to stealing messages, the malware collects source and destination phone numbers of targeted individuals – including mobile subscriber identity numbers and data from call detail record databases.
“The use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is representative of the evolving nature of Chinese cyber espionage campaigns,” FireEye Mandiant said.
Also known as ‘Barium’ or ‘Winnti’, APT41 is an active cyber threat group that carries out Chinese state-sponsored espionage activities as well as other financially-motivated activities since 2012. Its growing technical capabilities allow it to conduct surveillance for the Chinese government as well as run data theft or extortion campaigns for profit.
The Philippines’ ongoing territorial dispute with China over the West Philippine Sea makes it a particularly vulnerable target for Chinese cyber attacks. In 2015, computer security firm Kaspersky Labs reported that a Chinese-speaking hacker group called “Naikon” had successfully infiltrated governments around the South China Sea region including that of the Philippines.
Naikon had been conducting “at least five years of high volume, high profile, geopolitical attack activity” and had a “high success rate in infiltrating national organizations in Asean countries,” Kaspersky said.
A year later, Finnish security firm F-Secure reported that hackers based in China targeted employees at the Philippines Department of Justice, as well as the organizers of the Asia-Pacific Economic Cooperation summit, which both US president Barack Obama and Chinese premier Xi Jinping attended.
Malware designed to steal sensitive information from the Philippine government and other targets was used against high-profile organizations involved in the PH-China dispute.
Cyber-security software company Symantec also announced earlier this year that a Chinese cyber-espionage group called Thrip has attacked organizations in the Philippines and other countries in the region.
Thrip has focused on military organizations, satellite communications operators, maritime communications organizations, media and parts of the education sectors in Southeast Asia, according to Symantec.
“The threat to organizations that operate at critical information junctures will only increase as the incentives for determined nation-state actors to obtain data that directly support key geopolitical interests remains,” FireEye Mediant researchers said.