Users of secure chat app Telegram popped after possible nation-state attack
Iran's government suspected of cracking down on encrypted comms
Black Hat An attack group known for rudimentary phishing scams and having operational security so bad their servers were popped by Check Point has compromised a dozen Telegram accounts and gained phone numbers for a further 15 million, possibly with state assistance.
Telegram is a well-regarded end-to-end encrypted chat client used by some 100 million users including 20 million of Iran's 77 million residents.
The hack relied on the interception of SMS, a pervasive but imperfectly-secure means of delivering second factor authentication.
Iranian telcos could have provided the messages to the state-supported hacking group, researchers suggested. Tried-and-tested phone porting scams would be another way to redirect the text messages in order for attackers to add themselves as additional users on targeted Telegram accounts.
The "Rocket Kitten" hacking group has previously targeted civilian organisations and academia in Germany and Israel and holds some level of supporting interest in the Iranian state. It has compromised Israeli nuclear scientists and physicists, ex-military, Saudi scholars, NATO regional posts, and various media outlets.
It is behind hundreds of campaigns, labelled "projects" by the group, cooked up to compromise various targets.
It last year targeted organisations and probed security researchers with old-school and largely defunct macro document scams that require users of modern Office installations to click through security warnings to deliberately enable macros. Check Point popped the group's servers in November and found what it reckoned was the real identities of two Rocket Kitten members.
The operational security blunder meant one group member linked his alias with a real identity, while the entire group had infected their systems with their own malware in what Check Point wonks called an "utter lack of operational security".
"If all that wasn’t enough, we also managed to retrieve an updated resume for [one of the attackers]," they said at the time.
Check Point guessed the group was part of the large contingent of nationalist script kiddies who use scripts and bots to deface thousands of sites every day, and were roped into the world of espionage by Tehran.
Researchers Claudio Guarnieri of Amnesty International and independent hacker Collin Anderson suspect Iranian ISPs may have been prevailed upon to assist the attack, the pair told Reuters ahead of their talk at Black Hat Las Vegas.
"We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company," Anderson told the wire service.
The verification method is used by almost all IT services including Google and Facebook as a seemingly unshakable trade-off between convenience and security.
Compromising SMS is easy for established hackers. A target's basic information is all that's required - and often much less - for telecommunications providers to allow all incoming calls and SMS to be redirected to an attacker's phone number.
It is useful for capturing two factor authentication codes and bank transfer confirmation when stealing funds.
Telcos are notorious for allowing phone porting using information obtainable from most Facebook accounts. ®