Most of the attacks on Telecom Sector in 2019 were carried out by China-linked hackers

Pierluigi Paganini March 05, 2020

China-linked cyber espionage groups increasingly targeted organizations in the telecommunications industry in 2019.

According to the CrowdStrike 2020 Global Threat Report, the telecommunications and government sectors were the most targeted by the threat actors.

Experts monitored operations carried out by nation-state actors and financially-motivated attackers.

Most of the attacks against organizations in the telecom sector were attributed to China-linked hacker groups, such as Wicked Panda (aka APT41), Emissary Panda (aka APT27, Bronze Union, Lucky Mouse, and TG-3390), and Lotus Panda (aka Thrip). Chinese hackers also targeted several organizations in the healthcare sector, government and defense sectors of countries in Asia.

The experts also observed some attacks that were likely conducted by China-linked APT groups, but that was not possible to link to specific groups.

“Analysis in 2019 revealed a focus by Chinese adversaries on the telecommunications sector, which could support both signals intelligence and further upstream targeting. Content related to defense, military and government organizations remains a popular lure for targeted intrusion campaigns.” reads the report published by CrowdStrike.

Telecommunications organizations are a privileged target of China-linked hackers that focus on cyber espionage campaigns and aims at launching attacks against other organizations.

In the sector highlight included in the report, experts mention a strain of malware tracked as MESSAGETAP that was employed by Wicked Panda in its operations.

The MESSAGETAP spyware was reportedly used by WICKED PANDA to monitor short message service (SMS) traffic from telecom networks. MESSAGETAP is able to collect and store SMS data based on selection criteria, including phone numbers, international mobile subscriber identity (IMSI) numbers and keywords.

“The ability to collect data based on specific phone numbers and IMSI numbers indicates that the adversary predetermined which individuals to target for collection, possibly identifying phone numbers in previous reconnaissance or collection activities.” reads the report.

In October 2019, researchers at FireEye discovered a new backdoor tracked as MessageTap that China-linked APT41 group are using to spy on text messages sent or received by highly targeted individuals

FireEye experts found the MessageTap backdoor installed on a Linux-based Short Message Service Center (SMSC) server belonging to an unnamed telecommunications company. A Short Message Service Center (SMSC) is a network element in the mobile telephone network.

“Incidents from 2019 include multiple compromises of telecom companies in Asia, showing a continued interest in regional neighbors. While these incidents may also support traditional or economic espionage goals, open-source reporting from September 2019 claimed that some targeted intrusions against telecoms were used by China to track Uyghurs in Central and Southeast Asia.” continues the report. “This activity reportedly targeted telecom operators in Turkey, Kazakhstan, India, Thailand and Malaysia — mirroring the observed target scope for Chinese adversaries.”

Experts pointed out that while criminals are relatively predictable in their tendency, the activities of nation-state actors are difficult to track due to their sophistication.

Additional data are included in the report, it analyzes both cybercrime trends and nation-state hacking operations and provided interesting info on other groups of attackers and their TTPs.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, China)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment