Beijing-linked group ‘hacks into foreign government text messages’, report claims

New technology allowed the Chinese group - known as APT 41 - to gather information on military developments, intelligence operations and anti-Chinese political movements

A hacking group with links to the Chinese state has intercepted text messages of foreign government and military targets by breaking into telecom companies’ servers, according to FireEye, a cyber security company.

The new technology allowed the Chinese group - known as APT 41 - to gather information on military developments, intelligence operations and anti-Chinese political movements, according to the FireEye report released on Thursday.

The exposure of the attack method comes at a time of heightened anxiety about China’s use of technology for espionage. The US has raised concerns about the vulnerability of telecoms systems and has sought to persuade allies to avoid allowing Chinese companies such as Huawei into new 5G networks.

APT 41 began operating seven years ago and undertakes state-sponsored cyber espionage as well as financially motivated hacking missions. However, the mass theft of data belonging to multiple individuals from one location marks a significant shift in its capabilities, FireEye said.


Starting earlier this summer, the group used a new tool nicknamed “Messagetap” to access telecoms servers and to search for text-message content against a list of targets’ mobile phone numbers and key words of interest. “This allowed the hackers to gain a wide range of information on a wide range of targets at scale,” said Steven Stone, FireEye’s director of advanced practices. “This is much more akin to classic cold war espionage operations than a traditional hacking intrusion.”

The group was also able to steal metadata on the timing and duration of calls from target numbers to other individuals. FireEye said there were “virtually no actions” that any customers could take to protect messages on their devices or even find out that their messages and call data had been compromised.

Mr Stone would not disclose which companies or countries had been hacked, but confirmed that the Chinese group had intercepted text messages belonging to “thousands” of telecoms customers in an attempt to secure intelligence. He added that, while multiple companies had been attacked using Messagetap, he only had information about attacks on FireEye clients.

“There is no reason why [APT 41]shouldn’t be doing this at a range of telecoms companies we are not aware of,” he said.


Elisabeth Braw, head of the modern deterrence project at the London-based Royal United Services Institute, said the techniques marked a significant shift in Chinese espionage capability.

“China is targeting specific individuals,” she said. “This is not just blunt force, but they have a very good idea of who they are looking for, which is completely different to the forms of aggression we have seen in the past. And what’s worrying is that this is happening far beneath the radar.”

She said the interception of telecoms servers proved that everyone, “including national decision makers”, is vulnerable to being hacked whether or not Chinese companies such as Huawei are involved in the network. Huawei has always strenuously denied that its equipment has been used for espionage.

FireEye advised potential victims such as political dissidents, journalists and security officials to protect themselves by avoiding text messages and using messaging services with end-to-end encryption systems - such as WhatsApp and Signal.

The National Cyber Security Centre, a branch of GCHQ, said it had no evidence of Messagetap impacting UK telecoms networks.

- Copyright The Financial Times Limited 2019