Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Users of secure chat app Telegram popped after possible nation-state attack

Iran's government suspected of cracking down on encrypted comms

Black Hat An attack group known for rudimentary phishing scams and having operational security so bad their servers were popped by Check Point has compromised a dozen Telegram accounts and gained phone numbers for a further 15 million, possibly with state assistance.

Telegram is a well-regarded end-to-end encrypted chat client used by some 100 million users including 20 million of Iran's 77 million residents.

The hack relied on the interception of SMS, a pervasive but imperfectly-secure means of delivering second factor authentication.

Iranian telcos could have provided the messages to the state-supported hacking group, researchers suggested. Tried-and-tested phone porting scams would be another way to redirect the text messages in order for attackers to add themselves as additional users on targeted Telegram accounts.

The "Rocket Kitten" hacking group has previously targeted civilian organisations and academia in Germany and Israel and holds some level of supporting interest in the Iranian state. It has compromised Israeli nuclear scientists and physicists, ex-military, Saudi scholars, NATO regional posts, and various media outlets.

It is behind hundreds of campaigns, labelled "projects" by the group, cooked up to compromise various targets.

It last year targeted organisations and probed security researchers with old-school and largely defunct macro document scams that require users of modern Office installations to click through security warnings to deliberately enable macros. Check Point popped the group's servers in November and found what it reckoned was the real identities of two Rocket Kitten members.

The operational security blunder meant one group member linked his alias with a real identity, while the entire group had infected their systems with their own malware in what Check Point wonks called an "utter lack of operational security".

"If all that wasn’t enough, we also managed to retrieve an updated resume for [one of the attackers]," they said at the time.

Check Point guessed the group was part of the large contingent of nationalist script kiddies who use scripts and bots to deface thousands of sites every day, and were roped into the world of espionage by Tehran.

Researchers Claudio Guarnieri of Amnesty International and independent hacker Collin Anderson suspect Iranian ISPs may have been prevailed upon to assist the attack, the pair told Reuters ahead of their talk at Black Hat Las Vegas.

"We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company," Anderson told the wire service.

The verification method is used by almost all IT services including Google and Facebook as a seemingly unshakable trade-off between convenience and security.

Compromising SMS is easy for established hackers. A target's basic information is all that's required - and often much less - for telecommunications providers to allow all incoming calls and SMS to be redirected to an attacker's phone number.

It is useful for capturing two factor authentication codes and bank transfer confirmation when stealing funds.

Telcos are notorious for allowing phone porting using information obtainable from most Facebook accounts. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like