Telegram massive hack in Iran, what is happened?

Hackers accessed Telegram accounts in Iran, a security duo investigated the security breach and will present its findings at the Black Hat Conference.

15 million Iranian Telegram accounts have been compromised, users have reportedly had their personal information exposed (phone number, Telegram ID).

The security researchers Collin Anderson and Claudio Guarnieri have investigated the case, more than a dozen Telegram accounts were compromised and 15 million Iranian users’ telephone numbers were identified.

On Thursday at the Black Hat conference, the security duo will present a paper related their analysis.

The alleged hack would have compromised the communications of sensitive people in Iran, including activists and journalists.

“Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system” reported the Reuters.

“The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.”

According to the Reuters, the attackers exploited a security issue in the way Telegram verify user’s identity by using SMS messages. When users want to log on to Telegram from a new device, Telegram sends them the authorization codes via SMS. Unfortunately, this SMS could be intercepted by the Telco company that could provide it to the attackers.

We saw something of similar when we discussed another way to obtain the authorization code by exploiting SS7 vulnerabilities.

“Telegram’s vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.” wrote the Reuters.

“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson explained to the Reuters.

Of course, Telegram has promptly denied any serious security issue in its application. The company explained that anyone can check whether a certain number is registered for any similar messaging service (e.g. WhatsApp, Messenger).

Telegram also added that it has introduced this year significant improvements to avoid such kind of problems.

“The automated API-based checks that were apparently used in this incident “are no longer possible since we introduced some limitations into our API this year.””

Today Telegram, admitted the security breach explaining that it was the victim of a “massive hacker attack” that originated in Iran.

The messaging app company downgraded the problem explaining that the hack was not as severe as one might think because only publicly available data was exposed.

“Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.” reported Telegram in an official statement.

“However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.).”

Who is behind the massive hack?

It’s been claimed that the Iranian APT group known as Rocket Kitten was behind the attack.

The Rocket Kitten group has been suspected to be active since 2011 and have been increasing their activity since 2014. Its targets are mainly based in the Middle East, and it seems that they are involved in policy research, diplomacy and international affairs like policy research, diplomacy and international affairs.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Telegram, Hacking)

UPDATE from Telegram:

Telegram accounts

Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.

However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.).

SMS codes

As for the reports that several accounts were accessed earlier this year by intercepting SMS-verification codes, this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verificationspecifically to defend users in such situations.

If you have reasons to think that your mobile carrier is intercepting your SMS codes, use2-Step Verification to protect your account with a password. If you do that, there’s nothing an attacker can do.