Chinese Hackers, Stealing Text Messages From Telecom Network Operators

One of China’s state hacking groups has developed a custom piece of Linux virus that can steal SMS from a mobile operator’s network. The virus is meant to be installed on Short Message Service Center (SMSC) servers the servers included inside a mobile operator’s network that handles SMS communications.

US cyber-security firm FireEye said it spotted this virus on the network of a mobile operator. To takeout the SMS content, the virus collects targeted numbers of individuals, the mobile subscriber identity numbers, and data from call detail record (CDR) databases.


FireEye analysts said hackers break a yet-to-be-named telco and planted the virus– named MessageTap — on the company’s SMSC servers, where it would inhale incoming SMS messages, and apply a different filter.

Firstly, MessageTap would set SMS aside to be stolen at a later point if the SMS body contained special keywords.

“The numbers of keyword list contained items of geopolitical interest for Chinese intelligence collection,” FireEye said. “Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government.”

Secondly, MessageTap would also set SMS aside if they were sent from particular phone numbers, or from or to a device with a particular IMSI unique identifier. FireEye said the virus tracked thousands of device phone numbers and IMSI codes at a time.


In the final scheme of things of Chinese cyber-espionage operations, as a whole. For the past years, Chinese hacking groups have been known for their smash-and-grab approach, where they hacked a certain target and stole data as they could. APT41’s modus operandi shows a carefully planned and very targeted view operation aimed at a very small group of targets.

The difference from what Chinese hacking groups have done in the past, but it appears to have become the rule these days if we take into account the CCleaner and ASUS Live Update hacks, where Chinese hackers also break a company just to go after a small subset of its customers.

The overall span is that Chinese hacker groups are getting very good at targeted operations, on balance with what we usually have seen from US or Russian operations.

As stated by the FireEye researchers, this trend will continue and more such campaigns will be discovered soon, and therefore to reduce a degree of risks, targeted organizations should consider deploying a proper communication program that enforces end-to-end encryption.

Since SMS is not designed to be encrypted, neither on transmitting nor on the telecom servers, compromising an SMSC system allows attackers to keep an eye on all network connections to and from the server as well as data within them.

Related Post: UniCredit Bank Discloses A-Data Violation That Impacted 3 Million Of Italian Clients.

Keep following us for more updates #TeamBugNResearch.

Leave a Reply

Your email address will not be published. Required fields are marked *