Site navigation

Chinese Hackers Infected Networks to Steal SMS Texts

Dominique Adams


Malware linked to Chinese hackers has been found infecting carriers to steal SMS messages. 

A state-sponsored group of Chinese hackers, known as APT 41, has reportedly breached telecommunications companies using malware to access the networks’ text messages, according to cybersecurity firm FireEye.

The malware strain, known as MESSAGETAP, is designed to infect Linux-based servers used by telecommunication carriers to route SMS messages. Once it had infected the server, it allowed the hackers to filter SMS messages by targets’ phone numbers, IMSI (international mobile subscriber identity) numbers and intelligence keywords.

“The keyword list contained items of geopolitical interest for Chinese intelligence collection,” FireEye researchers said in the report. “Sanitised examples include the names of political leaders, military and intelligence organisations and political movements at odds with the Chinese government.”

When the malware detected a message to or from one of its targets it then saved a secret copy of the message in a .CSV file on the network’s systems which the hackers would later steal.

According FireEye, who uncovered the campaign, the targeted numbers and IMSI number belong to high ranking foreign individuals of interest to the Chinese government. The company said that thousands of phone numbers were targeted during this espionage campaign.

The UK’s National Cyber Security Centre has found no evidence that British networks are affected.


Speaking to Sky News, FireEye’s Steven Stone, a former US government counter-intelligence specialist, said: “The fact you’ve got phone numbers and IMSI numbers shows real interest and effort in targeting individuals.

“We have no idea how they go that information. That isn’t something we have visibility over, but it does imply that it’s pretty unlikely an individual hacker compiled these lists.

“This was the result of sustained work. It implies a larger support structure behind this operation.”

The company said it was significant that hackers were “able to gather and cut paste information out of SMS text messages at the telco level”, because it means the victim was totally unaware the theft was happening and had no way to stop it. “Your cell phone isn’t compromised, this is all happening upstream,” Stone explained.

This type of attack is one we can expect to see in the future, according to FireEye: “Accordingly, both users and organisations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain.

“This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information”

In the same intrusion, the hackers were also found interacting with call detail record (CDR) databases to track specific individuals during the same intrusion.

Stone said: “Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration and phone numbers.”

Worryingly, the hackers also targeted travel agencies and healthcare organisations. “They weren’t trying to steal intellectual property or make money – they were targeting individuals,” Stone added.

“It shows just how important targeting individuals is to this group, and by extension, the Chinese Government.”

Dominique Profile Picture

Dominique Adams

Staff Writer, DIGIT

Latest News

%d bloggers like this: