If you take any interest in the nation-state cyberattacks that have picked up apace in recent months, then you’ll be no stranger to China’s attacks on international telecoms networks. As data sources go, telcos are an intel goldmine—personally identifiable information, call metadata, unstructured patterns to mine. Now the country’s state-sponsored hackers have demonstrated just how insecure the open SMS technology built into those telco infrastructures has become. Put simply, if you haven’t already shifted to an encrypted platform, now is the time to do so. Such is the vulnerability of SMS messaging, that attackers can monitor for keywords en masse within the network itself. And, as ever, if one attack has shown the way others will be sure to follow.
Some reported on research claiming that APT10—one of China’s state-sponsored hacking groups, had compromised the systems of at least ten cellular carriers, targeting specific individuals. Now, a new report from FireEye has outed another campaign along similar lines. Meet APT41—I last reported on this group of “prolific” hackers back in August, when they were exposed—again by FireEye—for “brute force” campaigns against selected industries to collect large volumes of data, from which specific entries could be mined. In that campaign, telcos were front and centre. As one of FireEye’s analysts told me at the time, APT41 was likely targeting “a specific set of individuals, but it’s also interesting for telcos more generally, the role they play, being a first target within new regions that APT41 is moving into.”
And so to this latest research. FireEye has reported that APT41 has been infecting Short Message Service Centre (SMSC) servers within cellular carriers with a malware tool dubbed MESSAGETAP. Those SMSC servers route messages from sender to receiver, they also store the message content itself, enabling it to be forwarded when a recipient connects to a cellular network. To successfully attack this architecture gives open access to the core SMS traffic and content across the entire network.
Unlike its last reported attack, APT41’s MESSAGETAP tool is not designed to drive brute force attacks. it’s much smarter than that, designed with the avoidance of detection in mind. The tool is programmed to look for a set of keywords. FireEye explains these keywords are of geopolitical interest to Beijing—the team hasn’t shared the details, but you can assume it’s the names of high profile dissidents and groups, events, locations, companies, agencies. When a keyword is detected, the tool checks to see if the sender or receiver is on its target list (using phone and IMSI numbers). This approach, says FireEye, “shows the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.”
The same targeted approach, FireEye says, was used to exfiltrate call detail records relating to the same targeted individuals. Unlike its ability to tap into SMS content, the technology did not provide any method by which calls could be eavesdropped. But call metadata itself is invaluable to intelligence agencies—analysts mine patterns, connections—who called who, when, for how long, from where, how often. Networks can be mapped and inferences made without tapping into a single item of content.
As FireEye points out in its report, this campaign is indicative of the mass collection approach being taken by China, where data is collected to be mined for value. Because this latest malware is targeted, it will have significantly reduced the volume of data needing to be exfiltrated—avoiding one telltale sign of an attack, discoverable through network traffic monitoring. Telcos, says FireEye, “occupy critical information junctures in which data from multitudes of sources converge into single or concentrated nodes. Strategic access into these organizations… enables the Chinese intelligence services an ability to obtain sensitive data at scale for a wide range of priority intelligence requirements.” FireEye reports that is has observed four targeted telcos this year, with another four targeted by other Chinese threat actors.
And so to the crux. Quite why anyone would still send important or private information by SMS is unknown. Most sensitive messaging traffic has now moved to so-called “over the top” encrypted platforms—WhatsApp, iMessage (although this risks a failover to SMS if not setup right), Signal, Wickr, Telegram. And while governments complain that the encrypted platforms prevent their agencies tapping into messages, you can be sure it’s these platforms they use themselves.
FireEye warns that “users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain.” And while the report’s advice is aimed at “dissidents, journalists and officials that handle highly sensitive information,” the warning should be heeded more widely. To be explicit, don’t send SMS messages for anything sensitive, including financial data, credentials, private information, anything at all if you can avoid it. Most people reading this will consider themselves unlikely targets, but why stick with an insecure platform if you don’t have to? The alternatives are simply too easy to use.
Clearly, a glance at recent headlines will tell you that even encrypted headlines can be hacked—Facebook is currently suing the Israeli intercept company NSO for allegedly hacking WhatsApp. But the complexity of attacking an end-to-end platform is significant. It requires an endpoint compromise. It can be defended against. There is simply no equivalent of planting malware at the centre of the network and pulling content without any user being able to detect or protect against a compromise.
The sad truth is that SMS messaging is now an antiquated technology—it is akin to sending letters in unsealed envelopes and hoping no-one within the mail service will bother to look inside. We have already seen a backlash against the use of SMS messaging for multi-factor authentication. And now China has sent a further warning that it’s time to fully shift our traffic to end-to-end encrypted alternatives.