Security researchers Collin Anderson and Claudio Guarnieri have toldthat a cyber-espionage group has scraped data on Iranian citizens from Telegram’s infrastructure, a very popular encrypted instant messaging application.
The two say the group managed to identify the cell phone numbers and Telegram user IDs of over 15 million Iranian citizens, around three-quarters of Telegram’s Iran userbase.
The threat group has also used a feature in the Telegram service to intercept SMS authorization codes, allowing them to gain access to at least two dozen accounts.
Attackers intercept Telegram authorization SMS messages
This was possible because Telegram allows users to register a new account without setting a password, by sending an authorization SMS. The service also uses a similar authorization SMS when the user wants to connect a new device to his account.
The researchers say the group scraped the Telegram network, identified certain individuals, added new devices to their accounts (based on phone number or ID), and intercepted the auhtorization SMS message.
The attack was silent and didn’t create noise on the useless device that could alert the victim that something was wrong. The hackers were then able to read the user’s private and encrypted conversations.
Attacks carried out by Rocket Kitten APT
The two researchers say the hackers that carried out this attack are associated with an APT codenamed, which was previously uncovered and exposed last autumn by Trend Micro and ClearSky.
The security vendors said they believed, based on their analysis, that the group might be connected to the Iranian government.
Previous Rocket Kitten targets included government agencies, academic institutions, defense contractors, and several Iranian political dissidents. Targets were located in Iran, Israel, and Germany.
Telegram: Turn on 2-Step Verification and you’re fine!
On its side, Telegram acknowledged the incident in a, recommending users to turn on its 2-Step Verification feature to safeguard against any attempts to hijack accounts in the future.
“ Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year. ”
“ If you have reasons to think that your mobile carrier is intercepting your SMS codes, use 2-Step Verification to protect your account with a password. If you do that, there’s nothing an attacker can do. ”