FireEye experts discovered malagu messagetapcreated by Chinese government hackers. The malware is designed for Linux machines and was created to be hosted on SMSC (Short Message Service Center) servers, which are responsible for the operation of the short message service in the networks of telecom operators. Malvar helps to “listen” to SMS messages by applying a set of specific filters to them.
Researchers discovered Messagetap on an unnamed mobile carrier’s network earlier this year. How exactly the infection occurred is not specified.
Malvar is able to “delay" SMS messages for subsequent theft if the message body contains certain keywords. According to FireEye, among these keywords were various objects of geopolitical interest for Chinese special services, including the names of political leaders, the names of military and intelligence organizations, as well as political movements.
Also, the malware is interested in messages sent to or from certain numbers, as well as specific devices, based on their IMSI. At the time of discovery, it tracked thousands of phone numbers and IMSI at the same time.
Specialists associate Messagetap with the relatively "young" Chinese hacker group APT41. Earlier, FireEye experts wrote that this group is different from others, since in addition to political espionage, it also practices operations that have clear financial motives (they are probably carried out by members of the group for personal purposes).
Analysts write that in the network of the compromised mobile operator, the attackers also interacted with the call detail record database (CDR, logs of the operation of telecommunication equipment, including detailed information about calls). Hackers requested CDRs matching foreign dignitaries of interest to Chinese intelligence.
Although FireEye experts did not disclose the names of the affected company, reporters Reuters report that MessageTap’s activity is linked to the efforts of the Chinese authorities to track the Muslim minority, Uighurs living mainly in Xinjiang.