A Chinese hacking group breached a telecom to monitor targets’ texts, phone metadata

The timing of the attack coincides roughly with the pro-democracy demonstrations in Hong Kong.
Beijing (Getty Images)

Chinese government-linked hackers are monitoring mobile text messages of specific users, and for certain keywords as part of a new surveillance campaign meant to track individuals in a vast trove of telecommunication data, according to findings published Thursday.

APT41, a group that carries out state-sponsored cyber-espionage on Beijing’s behalf, this summer compromised an unnamed telecommunications provider to monitor the messaging activity of high-ranking individuals of interest to the Chinese government, according to FireEye. Chinese hackers primarily have been scanning for military or intelligence keywords, tracking how subjects are reacting to protests, such as those in Hong Kong, and analyzing victims’ opinions of world leaders, Steve Stone, advanced practices director at FireEye, told CyberScoop.

During the same intrusions into the unnamed phone company, APT41 also sought individuals’ records from call detail record (CDR) databases, which provide metadata such as the time the calls were made, the phone numbers involved, and the length of the conversations.

The findings prove that Chinese hackers, while still focusing on international property theft, also prioritize targeted surveillance, researchers said. The timing of the attack roughly coincided with an “indiscriminate” iPhone hack aimed at the Uighur community, a Muslim population under mass surveillance by the Chinese, and growing demonstrations in Hong Kong, where millions of people have rallied against Beijing.


“APT41 is able to do very specific targeting at scale,” said Stone, who previously served as a senior analyst in the Department of Defense. “They’re able to say ‘let’s take potentially thousands of numbers, and look for those and see when those numbers start having these specific kind of keyword conversations and then pull that out.”

FireEye declined to identify the surveillance targets. Stone said only that the hacked telecom was located in a country that is a “strategic competitor” to China.

How Chinese spies are tracking texts

FireEye uncovered the malware, dubbed MESSAGETAP, during an investigation involving a cluster of Linux servers at a telecommunications network provider earlier this year. The affected servers operated as Short Message Service Center servers, which route SMS messages to the intended recipients. APT41 is known to have used spear phishing to infiltrate organizations in the past, though FireEye declined to detail how hackers installed MESSAGETAP in this case.

The malware is loaded via an installation script, and then checks for two files that allow it to save the contents of the text messages.


These files contain the hacker-created lists of desired users, which would identify a subscriber on a cellular network, as well as lists of phone numbers and of keywords. The malware searches the text messages for designated keywords and crosschecks to make sure designated phone numbers or subscriber information also match the APT group’s lists. Then the content and identifying information is saved to a CSV file for the threat actor to presumably access later.

And although it’s unknown exactly what APT41 does with the information afterwards, the other surveillance operation APT41 was running simultaneously on call metadata, may provide clues about how spies would have tailored their requests.

Searches of the CDR databases would have acted in concert with the SMS data collection, “as a complementary data set for targeting individuals,” FireEye said.

The combination of the message tap and these CDR queries is the kind of surveillance operation reminiscent of the U.S. National Security Agency programs detailed by former contractor Edward Snowden in leaks in 2013. In one case, Snowden revealed a secret court order that compelled Verizon to provide the NSA with daily metadata on calls between the U.S. and abroad as well as solely domestic calls to understand connections between targets of interest.

The Chinese hackers are looking for similar content that would be considered threats to Beijing through its MESSAGETAP targeting, Stone said.


The Chinese actors are broadly interested in tracking down political dissidents, Stone added, noting they have been looking for users and topics related to political movements and protests at odds with Chinese Communist Party goals, such as the Uighur or Tibetan populations.

And although FireEye believes the group’s monitoring is likely intended to benefit Chinese government interests, the malware would allow APT41 to target whoever it chooses, says Stone.

“It’s really location agnostic. It’s targeting via telecom. That methodology should work at any telecom in the world,” Stone said. “We don’t expect this to be a regionally focused kind of thing.”

All the hackers would have to do is refresh their keyword and user lists to change their targets, Stone said.

“FireEye suspects other ongoing, yet to be discovered, intrusions occurring in other areas of the world,” he said in a statement.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts