The Iranian hackers have hacked and revealed details of 15 Million users on the IMS telegram service and identified the telephone numbers of 15 million Iranian users, the largest known hack in the encrypted communications system.
The hack, which took place this year and has not been reported previously, threatened the communications of activists, journalists and others in sensitive positions in Iran. Telegram is used by about 20 million people, said independent cyber researcher Collin Anderson and Amnesty International Technologist Claudio Guarnieri, who has been studying groups of Iranian hackers for three years.
Telegram is promoted as an ultra secure instant messaging system because all data is encrypted from beginning to end, known in the industry as end-to-end encryption. Some other messaging services, including WhatsApp from Facebook Inc, say they have similar capabilities.
Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including the Islamic militant group as well as in Central and South-East Asia and Latin America.
The vulnerability of Telegram, according to Anderson and Guarnieri, lies in the use of SMS text messages to activate new devices. When users want to connect to Telegram from a new phone, the company sends authorization codes via SMS, which can be intercepted by the telephone company and shared with hackers, the researchers said.
Armed with codes, hackers can add new devices to a person’s Telegram account, allowing them to read chat discussions as well as new messages.
“We have more than a dozen cases where Telegram accounts have been compromised, in ways that sound like coordination with the mobile phone company,” Anderson said in an interview.
Telegram’s relies on SMS Verification which easily exposed details of millions of users.
A Telegram spokeswoman said customers could defend themselves against such attacks by not only relying on SMS verification. Telegram allows – although does not require – customers to create passwords, which can be reset with the so-called “retrieval” of emails.
“If you have a strong Telegram password and your recovery email is safe, there is nothing an attacker can do,” said Markus Ra, the spokesman.
Iranian officials were not available to comment. Iran has in the past denied government ties to hacking.
Rocket kitty – The Group Behind the Hack
The researchers said the Telegram hackers belonged to a group known as Rocket Kitten, which used references in its code in Persian and carried out “a common pattern of spearphishing campaigns that reflected the interests and activities of the Iranian security apparatus.”
Anderson and Guarnieri declined to comment on whether the hackers were employed by the Iranian government. Other cyber experts have said that the Rocket Kitten attacks were similar to those attributed to Iran’s powerful Revolutionary Guards.
The investigators said Telegram’s victims included political activists involved in reformist movements and opposition organizations. They refused to name the targets, citing concerns about their safety.
“We see cases where people … are attacked before their arrest,” Anderson said. “We see a continuous alignment through these actions.”
The researchers said they also found evidence that hackers took advantage of an integrated Telegram programming interface to identify at least 15 million Iranian telephone numbers with Telegram accounts registered for them, as well as associated user identifiers. This crucial data can be used for future attacks.
“A demonization and systematic classification of people using encryption tools (of some sort, at least) for an entire nation” has never been exposed before, Guarnieri said.
Ra said that Telegram has blocked similar “mapping” attempts in the past and was trying to improve its detection and blocking strategies.
Cyber experts say that Iranian hackers have become increasingly sophisticated, able to adapt to the evolution of social media habits. Rocket Kitten targets included members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents, US-Israeli security firm Check Point reported last November.
Telegram is Popular in the Middle East
The telegram was founded in 2013 by Pavel Durov, known for starting VKontakte, the Russian version of Facebook, before fleeing the country under government pressure.
While Facebook and Twitter are banned in Iran, Telegram is widely used by groups across the political spectrum. They shared content in the “channels” of the Telegram and urged followers to vote before the parliamentary elections in Iran in February 2016.
Last October, Durov wrote in a Twitter post that Iranian authorities had demanded that the company provide them with “tools of espionage and censorship.” He said that Telegram ignored the request and was blocked for two hours on October 20, 2015.
Anderson and Guarnieri will present their findings at the Black Hat Security Conference in Las Vegas on Thursday. His comprehensive research is scheduled to be published by the Carnegie Endowment for International Peace, a Washington-based expert group, later this year.