Following on from my article here about the Iranian Cyber Police asking Iranians to stop using Telegram, it appears that the Iranian hacking group known as Rocket Kitten is behind a compromise of 15 million Telegram accounts used by Iranians.
Telegram is a very popular messaging app in Iran and almost 25% of the Iranian population are using the app every day.
Iranian authorities have previously demanded that Telegram provide them with “spying and censorship tools”. Telegram ignored the request and was blocked in Iran for around two hours on October 20 2015. Telegram does not have any servers in Iran, making the Iranian regime’s job harder to try and censor Telegram. This compares to the regime “banning” Twitter and Facebook, even though Iranians can use Tor or anonymous VPNs to get around the Iranian Internet filters…
Rocket Kitten refers to a cyber threat group that has been attacking various organizations, such as members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents.
Rocket Kitten has launched two known campaigns: a malware campaign that uses the GHOLE malware, and a targeted attack called “Operation Woolen-GoldFish” which is probably run by the Iranian regime. Rocket Kitten’s attacks were similar to ones attributed to the Iran’s Revolutionary Guards Corp (IRGC). You can read more about Rocket Kitten here
Rocket Kitten managed to obtain public information and phone numbers from 15 million Iranian users of the Telegram messaging app, as well as the associated Telegram user IDs. They compromised over 12 Telegram accounts and jeopardized the communications of people including activists and journalists in sensitive positions within Iran.
Telegram responded by saying, “Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed.”
Importantly, Telegram have since changed their API so that similar mass checks on accounts should no longer be possible: Telegram 1, Iranian Regime 0!
The Telegram vulnerability involved sending authorization codes via SMS text messages to activate new devices and these could be intercepted by the phone company. So, this means a Man In The Middle (MITM) attack capability by a country that has access to telecommunications networks. This further implicates Rocket Kitten as being part of the Iranian regime.
A word from the Iranian Cyber Police
The Cyber Police of Iran (FATA) have transparently tried to un-link the association between Rocket Kitten and the Iranian government by blaming Telegram’s “weakness”. No one believes them…
The legal and international deputy of the Cyber Police, Colonel Hossein Ramazani, said that the hackers did not get access to personal details of victims and that, “What is clear to us is the vulnerability and weakness which always existed in the service because of its text message confirmation system, through which [hackers] have gained access to the users’ phone numbers. Then contents of people’s chats and personal details, however, have not been compromised” Well, he obviously is not going to admit the regime did it, is he?
Telegram supports the use of Two-Factor Authentication (2FA), but is not enabled by default. That means users of Telegram should setup 2FA if they have not already done so, to prevent interception of SMS-verification codes via cellular networks (even if Telegram claim the mass lookup interception loophole is fixed). Perhaps Telegram should start enabling 2FA by default!