Skip to main content
banner image
venafi logo

Chinese Hackers Target Telcos. Smart. [Encryption Digest 18]

Chinese Hackers Target Telcos. Smart. [Encryption Digest 18]

Chinese hackers target certificates
November 7, 2019 | Katrina Dobieski

It seems the noose is tightening.

While we may be nearing the end of an unregulated era of internet and a freewheeling commons of communications—everyone fights for the last fistfuls of sand. Facebook works for wins in E2EE call and video, in addition to encrypting its messages.

North Korea unleashes yet another Lazarus attack, this time sneakier than ever to siphon what information roams free on the internet, and China isn’t taking chances. A state-sponsored attack group seems to have been targeting Telcos for some time now, because, well, they’re still unencrypted. How long will the data-grab last, and who will put the final nail in the coffin? It looks like we’re closer to finding out, this week in the Encryption Digest.


Facebook Makes a Break to Encrypt It All

Run, Forest.

Remember when Facebook was fighting to encrypt Messenger? Governments countered with “Please, don’t do that.” Facebook countered with “Maybe we’ll encrypt call and video, too.”

In an effort to boost civil liberties, Facebook ramps up encryption efforts on its popular Messenger, testing the idea of secret calls and video chats, along with the previously slated message encryption.

Since 2016, encrypting some communications was possible using the Secret Conversations feature. The fight recently was to make such end-to-end encryption not an opt-in, but a standard.

Facing backlash from the FiveEyes alliance,

a loosely bound cohort of five western nations (Canada, Australia, New Zealand, the US, the UK), the social media magnate apparently took the heat and swallowed it. Formally petitioning Facebook to abandon its designs and "[not] preclude any form of access to content...for preventing or investigating the most serious crimes", the FiveEyes alliance favored protection over privacy, and called on the Silicon Valley giant to stand down.

What emerged was not backstepping, but an even more steeled resolve to “build a simpler platform that's focused on privacy first.” In a Magna Carta-esque statement of intent, Zuckerberg announced this past March that the company would seek to encrypt basic messaging, following the WhatsApp archetype, and expand E2EE across “calls, video chats, groups, stories, businesses, payments, commerce, and ultimately ... many other kinds of private services.”

Said Zuck, "We think it is the right thing to protect people's privacy more, so we will go defend that when the time is right."

In a world where all communication could become end-to-end encrypted, it will be up to the third party that hacks the best to obtain the information inside. After the 2015 terrorist-linked San Bernardino shootings, the FBI paid a capable mind over a million dollars to crack the suspect iPhone. Interested entities can always get in. In a fully E2EE frontier, the question just evolves from “Who wants it?” to “Who wants it more?”.

Related Posts:


Beware of Hoplight [Again]: Latest North Korean Malware

BTS isn’t the only Korean-bred phenomenon sweeping the web.

Hidden Cobra strikes again.

The catch-all moniker refers to a network of bad actors, also known as Lazarus, affiliated with hacking schemes and the North Korean government. While the specific attackers are still at large, the specifics of the latest attack aren’t.

An investigation from the Department of Homeland Security reveals the following about Hoplight, the latest strain of Korean malware to hit Windows systems:

What It Targets

Windows systems, 32-bit and 64-bit versions


Staying hidden on compromised systems. 16 of its 20 executables disguise traffic between operators and malware.

How It Works

First, it gets a legitimate public SSL certificate (Dark Web, anyone?) and uses it to fake a TLS handshake, “disguising network connections with remote bad actors.” One file contains the public SSL certificate and the other does not, but instead “attempts outbound connections and drops four files.” What’s in the files? Mostly IP addresses and SSL certificates.

The malware has four hard-coded IP addresses which it uses for the command-and-control servers and performs the TLS handshake with the servers once the malware has deployed. After that, a homegrown encryption scheme ensures secure communication between the server and infected device. 

What It Can Do

“The malware can read, write, and move files, create and kill processes and services, edit registry settings, and upload and download files to and from a remote server.”

Previous Hidden Cobra attacks include WannaCry and ELECTRICFISH. This is the seventeenth Department of Homeland Security MAR report on the North Korean hacking group since May of 2017.

Find the full DHS report, here.

Machine identities are now worth more than human identities on the Dark Web. Find out what that means for your enterprise.




Related Posts:



Chinese Hackers Target Telcos. Smart.

I don’t think “The Art of War” ever mentioned targeting Telcos first, but it seems to be a brilliant strategy.

A data mine of info gold, telecommunications companies—with their seductive swaths of SMS logs, personal information and call metadata—are becoming an opportunistic first line of attack. As the arms race for data marches forward, the networks that carry still unencrypted data are the easiest hill to take.

According to Jim Baker, former general counsel to the FBI, "it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States … can use to more effectively protect themselves from existential cybersecurity threats.” Like this one.  

Let’s Back Up

  • State-sponsored Chinese hacking group APT10 take down 10 Telcos, reported last June.
  • APT41, of similar origins, “brute forces” victim industries for specific information, targeting Telcos like big game.

So, it appears state-sponsored Chinese hackers are favoring traditional communication infrastructure.

Which brings us to our current issue

APT41 targets SMS servers with [aptly named] MESSAGETAP.  The malware takes full advantage of one of the last, best fronts of scores of unencrypted data. Not everyone’s (not anyone’s?) texts are E2EE safe. Not everyone uses an encrypted messaging platform (yet). The genius is simple, and scathing.

News breaker FireEye reports that Telcos “occupy critical information junctures in which data from multitudes of sources converge into single or concentrated nodes.” Access into such a juncture “enables the Chinese intelligence services … to obtain sensitive data”.

It would take months, if not years, for a cultural shift from your cell provider’s data plan (“call, text and web...”) to a platform like Signal or WhatsApp. Like all social aggregators, they are only as good as the whole, and adoption may be a long time coming. In the meantime, all the data just sits there like a row of ducks.


Related Posts:

Like this blog? We think you will love this.
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more