Hackers compromised Telegram accounts, identified 15 million users’ phone numbers

Hackers have managed to compromise over a dozen Telegram accounts belonging to Iranian political activists and identify phone numbers tied to 15 million Iranian Telegram users, researchers Claudio Guarnieri and Collin Anderson claim.

Hackers compromised Telegram accounts

They are set to provide more details about their research this week on Black Hat USA 2016.

What is known about the attacks so far

The accounts with Telegram, a secure messaging service based in Germany, were compromised by exploiting the fact that Telegram sends would-be users an SMS with authorization codes so that they can activate their devices.

The researchers believe the attackers have intercepted these text messages, and this allowed them to add new devices to the targets’ account, and access everything in it.

This SMS interception has been performed either by compromising Iranian phone companies, or by colluding with them. The researchers believe that the latter theory is not far-fetched, as Rocket Kitten – the hacker group that they believe performed the attacks – is believed to be composed of Iranian hackers, possibly tied to the Iranian Revolutionary Guard Corps (a branch of

Rocket Kitten is known for targeting individuals, businesses and government organizations across the the Middle East, but also researchers (Iranian and European), Iranian citizens/activists, and Islamic and anti-Islamic preachers and groups, political parties and government officials.

The same group apparently also managed to misuse Telegram’s API to identify 15 million Iranian phone numbers and user IDs tied with Telegram accounts earlier this year. This information can come in handy for orchestrating future attacks and help with investigations.

According to Guarnieri, this is also the first time that “a systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has been publicly exposed.

Telegram’s response

Facebook and Twitter are banned in Iran, so Telegram is widely used in the country. Telegram has been contacted before by Iranian authorities and they asked the service to help them spy on users. They ignored the request.

The Telegram Team has commented the reports of these attacks by saying that, as regards the 15 million Iranian accounts, “only publicly available data was collected and the accounts themselves were not accessed,” and that such mass checks are no longer possible as they’ve set up limitations for their API.

“As for the reports that several accounts were accessed earlier this year by intercepting SMS-verification codes, this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it,” they noted.

They’ve introduced a 2-step verification option that requires users to both use the authentication code sent via SMS and a password to log in, and a recovery email address to help if they forget the password.

“If you have reasons to think that your mobile carrier is intercepting your SMS codes, use 2-step verification to protect your account with a password. If you do that, there’s nothing an attacker can do,” they added.

Of course, if a target’s recovery email gets compromised, the attackers will be able to gain access to his or her account. Apparently, it has happened before.

Black Hat USA 2016

Don't miss