FireEye experts discovered Messagetap malware created by Chinese government hackers. The malware is designed for Linux machines and is designed to be hosted on SMSC (Short Message Service Center) servers, which are responsible for the operation of the short message service in the networks of telecom operators. The malware helps to "listen" to SMS messages by applying a set of specific filters to them.
Researchers discovered Messagetap on an unnamed mobile operator earlier this year. How exactly the infection occurred is not specified.
Malware is capable of "postponing" SMS messages for subsequent theft if the message body contains certain keywords. According to FireEye, these keywords included various targets of geopolitical interest to Chinese intelligence agencies, including the names of political leaders, military and intelligence organizations, and political movements.
The malware is also interested in messages sent to certain numbers or from these numbers, as well as specific devices, based on their IMSI. At the time of discovery, it was tracking thousands of phone numbers and IMSI at the same time.
Experts associate Messagetap with the relatively "young" Chinese hacker group APT41. Earlier, FireEye experts wrote that this group is different from others, since in addition to political espionage, it also practices operations that have clear financial motives (probably, they are carried out by members of the group for personal purposes).
Analysts write that in the network of the compromised mobile operator, the attackers also interacted with the call detail record database (CDR, telecom equipment operation logs, including detailed information about calls). The hackers requested CDRs corresponding to foreign dignitaries of interest to Chinese intelligence agencies.
Although FireEye did not disclose the name of the affected company, Reuters reporters report that MessageTap's activity is linked to efforts by the Chinese authorities to track down the Muslim minority Uyghurs, who live primarily in Xinjiang province.
