Iranian hackers: Are they targeting opponents of Tehran?
Iranian hackers that belong to the notorious group Rocket Kitten penetrated an encrypted messenger app popular among many dissidents, say researchers. Were the hackers acting on behalf of Tehran?
Iranian hackers with suspected ties to the regime penetrated the messenger app Telegram to monitor activists, journalists, and others dissidents, according to cybersecurity researchers.
With the help of an Iranian phone company, the hackers broke into more than a dozen Iranians' Telegram accounts by intercepting text messages that contained activation codes to link the accounts to new devices, Claudio Guarnieri, an Amnesty International technologist, and Collin Anderson, an independent cybersecurity researcher, told Reuters.
Mr. Guarnieri and Mr. Anderson said the hackers belonged to “Rocket Kitten,” an infamous group that several cybersecurity firms have previously shown carried out cyberespionage for Tehran.
The Telegram breach shows that unlike the US, Britain, France, and Israel, who have targeted the Telegram accounts of Islamic State (IS) propagandists, Tehran has prioritized going after the accounts of activists to quell dissension.
“A majority of what the regime calls counterterrorism activity is not focused on what you imagine – managing threats posed by terrorist groups like the Islamic State,” Michael Smith II, chief operating officer of Kronos Advisory, a defense consulting firm, told The Christian Science Monitor on Monday. “Foremost among the regime’s concerns is the preservation of its authority. So ‘counterterrorism’ often refers to managing internal anti-regime activism.”
More popular than TV
Telegram is an encrypted messenger service that developers tout as highly secure (though some experts have said it doesn’t live up to this advertisement). Telegram’s end-to-end encryption is intended to restrict a message so only the sender and receiver can read it.
With 100 million active subscribers worldwide, Telegram is popular among businesses and even terrorists, including the Islamic State (IS). The app has also attracted a sizeable audience in Iran.
In Iran, both Facebook and Twitter are banned. But Tehran doesn’t censor or restrict Telegram, which has 20 million users throughout the country. One Iranian telecommunications executive reportedly said the number of Iranians that use Telegram easily exceeded those that watch state television, according to Al Jazeera. Many of these Iranians subscribe to channels on the app to receive and share information, sometimes from sources that would be censored otherwise. It’s easy to see how Iranian hardliners might worry about these channels and users.
“Because it came to power through revolution, survival is Tehran’s foremost concern, and counterrevolution its ultimate nightmare,” writes Michael Eisenstadt, director of the Military and Security Studies Program at The Washington Institute for Near East Policy. “Thus, for Tehran, cyber represents both an existential threat and an exceptional opportunity. Tehran believes that cyber enables its domestic opponents to organize, and its foreign enemies to undermine the regime through soft warfare.”
The Iranian hackers, said cybersecurity researchers Anderson and Guarnieri, exploited a security flaw in Telegram to monitor the communications of activists, journalists, and Iranian reformists.
"We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company," Anderson told Reuters.
He and Guarnieri said the hackers also identified the phone numbers of 15 million Iranian users by searching for phone numbers registered through Telegram.
Telegram did not respond to a Monitor inquiry by press time. In a statement August 2, following the publication of the Reuters article, Telegram downplayed Anderson and Guarnieri’s claims. It said it has frequently warned users in certain countries about the danger of a text message carrying an activation code being intercepted. Telegram, instead, recommends users require two-step verification, in which they would receive two activation codes via SMS. In the statement, Telegram added that 15 million accounts would have been identified through publicly available data. Telegram said it removed the feature to perform a mass search of numbers.
Though Guarnieri and Anderson declined to comment on whether the hackers were employed by Tehran, numerous other cybersecurity research firms have linked Rocket Kitten to Iranian authorities.
Rocket Kitten is a moniker of a group that has carried out spear phishing email scams fraud campaigns and malware attacks in the interest of Tehran. Countries targeted included Saudi Arabia, Israel, Yemen, and the US, and victims include defense officials, and embassies, as well as Iranian activists, journalists, and academics, according to Check Point, an American-Israeli cybersecurity firm.
Building upon previous research, Check Point showed last year Rocket Kitten’s connections to Tehran. In addition to Persian names and words in campaigns and malicious software that Check Point reviewed, the firm discovered one of the software programmers, Yaser Balaghi, said in his resume that he created spear phishing systems for the government.
Activists and the Islamic State
Experts have warned about Telegram’s security flaws in the past, and dissidents in other countries have also experienced account breaches. Two Russians who oppose the Kremlin said the country’s largest mobile operator, MTS, colluded with hackers to break into their Telegram accounts. The activists, Oleg Kozlovsky and Georgy Alburov, told The Moscow Times in May that their accounts were compromised when verification codes sent to their phones were intercepted.
Since IS has been known to use Telegram for propaganda, coordinating terrorist plots, and recruitment, American, Israelis, the British, and the French have all tried to gain access to different IS Telegram accounts and channels. Last week, Intsight, an Israeli cybersecurity firm, said it penetrated an IS forum on Telegram through “proprietary technology,” where it found plans to attack hundreds of US military bases.
Iran is high on IS’s hit list, as well. Tehran has supported the Assad regime in Syria, and shares borders with Iraq and Afghanistan. When asked if Iranian hackers might have tried to access IS communications, Mr. Eisenstadt of the Washington Institute said Tehran is much more worried about a counterrevolution.
“[Iranian authorities] will use every means at their disposal in order to discover potential subversive or anti-regime elements, whether they are liberal, middle-class Iranians who oppose the regime on political grounds, Salafi jihadists, or Kurdish separatists.”
"The opposition threat is not the only threat,” he says. “But it is a significant threat.”