An elite Chinese hacking group which broke into telecommunications companies was able to access the entire network’s text messages and search them for intelligence material, according to a new report.
The state-sponsored campaign involved the hackers, known as APT41, deploying malware on companies’ SMS servers which handle text messages.
This malware scanned through the servers searching for messages connected to specific phone numbers and IMSI (international mobile subscriber identity) numbers which uniquely identify network users.
According to the cyber security firm FireEye which uncovered the campaign, the targeted phone numbers and IMSI numbers belonged to foreign high-ranking individuals of interest to the Chinese government.
When the malware detected a message to or from one of these targets it then saved a secret copy of the message on the network’s systems which the hackers would later steal.
The malware also contained a keywords list covering issues of geopolitical interest for Chinese intelligence collection, including the names of political leaders, military and intelligence organisations and political movements at odds with Beijing.
The UK’s National Cyber Security Centre has found no evidence that British networks are affected.
Speaking to Sky News, FireEye’s Steven Stone – who formerly worked in counter-intelligence for the US government – said: “The fact you’ve got phone numbers and IMSI numbers shows real interest and effort in targeting individuals.
“We have no idea how they go that information, that isn’t something we have visibility over, but it does imply that it’s pretty unlikely an individual hacker compiled these lists.
“This was the result of sustained work. It implies a larger support structure behind this operation,” stated Mr Stone.
It was significant that the hackers were “able to gather and cut and paste information out of SMS text messages at the telco level” according to FireEye.
This meant that the actual individual victim was entirely unaware that the theft was happening and had no ability to stop it. “Your cell phone isn’t compromised, this is all happening upstream,” explained Mr Stone.
FireEye stated that it believed this trend would continue in the future, and said: “Accordingly, both users and organisations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain.
“This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information”
In addition to the SMS theft, the hackers were also spotted interacting with call detail record (CDR) databases to track specific individuals during the same intrusion.
“Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers,” explained FireEye, in contrast to the theft of the contents of specific text messages.
It wasn’t just telecommunications companies which were targeted, but also travel firms and healthcare organisations.
“They weren’t trying to steal intellectual property or make money, they were targeting individuals,” said Mr Stone, adding: “It shows just how important targeting individuals is to this group, and by extension, the Chinese government.”