Iranian hacker group knows who is on Telegram

Telegram encrypted messaging app leaked 15 million Iranian users’ phone numbers

Hackers obtained the mobile phone numbers of 15 million Iranian users of the Telegram encrypted messaging app, and hacked the accounts of more than a dozen of them, security researchers say.

The accounts were hacked through interception of SMS confirmation codes sent to the associated phone numbers, security researchers Claudio Guarnieri and Collin Anderson told Reuters.

The revelations show once again how use of encryption can pit technology companies against governments. Telegram founder Pavel Durov has in the past sided with Apple CEO Tim Cook against the FBI on the question of whether governments should have access to the contents of smartphones.

In this latest case it was a cyberespionage group said to have links with the Iranian government, Rocket Kitten, which identified 15 million Iranian users of Telegram.

The group did not leak the numbers, Anderson said. He and fellow security researcher Guarneri found the numbers on the Rocket Kitten servers, he said via Twitter.

The two plan to say more about these hacks, and many others directed at Iranians, in a presentation at the Black Hat security conference in Las Vegas on Thursday.

Telegram acknowledged the attacks on its service in a blog post, but played down their significance. "Certain people" had used its public APIs to check whether Iranian phone numbers were used for its service, and had ascertained this for 15 million accounts, the company said, but the content of the accounts could not be accessed through the API.

Information about which phone numbers are associated with accounts has to be public, otherwise users cannot find and message their friends through the service, the company said on its blog.

Checking phone numbers on such a large scale is no longer possible, though, as within the last year the company has placed limits on such use of its API, it said.

The company is aware that Telegram accounts can be hacked by intercepting SMS confirmation codes, but "this is hardly a new threat," it said. Last year it introduced an optional two-factor verification function combining SMS codes and passwords, and has been encouraging users in certain countries to turn this on if they think that their mobile carrier is intercepting their SMS codes.

"If you do that, there's nothing an attacker can do," the company said.

Anderson welcomed Telegram's API changes, but called for it to publish its security advice in the Farsi language to ensure more Iranian users were aware of the need to use two-factor verification.

If you are in Iran and use the mobile app, there are significant risks from government cooperation with telcos, he said via Twitter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFBITwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place