Iranian hackers: Are they targeting opponents of Tehran?

Iranian hackers that belong to the notorious group Rocket Kitten penetrated an encrypted messenger app popular among many dissidents, say researchers. Were the hackers acting on behalf of Tehran?

Vahid Salemi/AP
An Iranian shareholder monitors share prices on his laptop computer at the Tehran Stock Exchange in Tehran, Iran, in April 2015.

Iranian hackers with suspected ties to the regime penetrated the messenger app Telegram to monitor activists, journalists, and others dissidents, according to cybersecurity researchers.

With the help of an Iranian phone company, the hackers broke into more than a dozen Iranians' Telegram accounts by intercepting text messages that contained activation codes to link the accounts to new devices, Claudio Guarnieri, an Amnesty International technologist, and Collin Anderson, an independent cybersecurity researcher, told Reuters.

Mr. Guarnieri and Mr. Anderson said the hackers belonged to “Rocket Kitten,” an infamous group that several cybersecurity firms have previously shown carried out cyberespionage for Tehran.

The Telegram breach shows that unlike the US, Britain, France, and Israel, who have targeted the Telegram accounts of Islamic State (IS) propagandists, Tehran has prioritized going after the accounts of activists to quell dissension.  

“A majority of what the regime calls counterterrorism activity is not focused on what you imagine – managing threats posed by terrorist groups like the Islamic State,” Michael Smith II, chief operating officer of Kronos Advisory, a defense consulting firm, told The Christian Science Monitor on Monday. “Foremost among the regime’s concerns is the preservation of its authority. So ‘counterterrorism’ often refers to managing internal anti-regime activism.”

More popular than TV

Telegram is an encrypted messenger service that developers tout as highly secure (though some experts have said it doesn’t live up to this advertisement). Telegram’s end-to-end encryption is intended to restrict a message so only the sender and receiver can read it. 

With 100 million active subscribers worldwide, Telegram is popular among businesses and even terrorists, including the Islamic State (IS). The app has also attracted a sizeable audience in Iran.

In Iran, both Facebook and Twitter are banned. But Tehran doesn’t censor or restrict Telegram, which has 20 million users throughout the country. One Iranian telecommunications executive reportedly said the number of Iranians that use Telegram easily exceeded those that watch state television, according to Al Jazeera. Many of these Iranians subscribe to channels on the app to receive and share information, sometimes from sources that would be censored otherwise. It’s easy to see how Iranian hardliners might worry about these channels and users.

“Because it came to power through revolution, survival is Tehran’s foremost concern, and counterrevolution its ultimate nightmare,” writes Michael Eisenstadt, director of the Military and Security Studies Program at The Washington Institute for Near East Policy. “Thus, for Tehran, cyber represents both an existential threat and an exceptional opportunity. Tehran believes that cyber enables its domestic opponents to organize, and its foreign enemies to undermine the regime through soft warfare.”

Rocket Kitten 

The Iranian hackers, said cybersecurity researchers Anderson and Guarnieri, exploited a security flaw in Telegram to monitor the communications of activists, journalists, and Iranian reformists.

"We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company," Anderson told Reuters.

He and Guarnieri said the hackers also identified the phone numbers of 15 million Iranian users by searching for phone numbers registered through Telegram.

Telegram did not respond to a Monitor inquiry by press time. In a statement August 2, following the publication of the Reuters article, Telegram downplayed Anderson and Guarnieri’s claims. It said it has frequently warned users in certain countries about the danger of a text message carrying an activation code being intercepted. Telegram, instead, recommends users require two-step verification, in which they would receive two activation codes via SMS. In the statement, Telegram added that 15 million accounts would have been identified through publicly available data. Telegram said it removed the feature to perform a mass search of numbers.

Though Guarnieri and Anderson declined to comment on whether the hackers were employed by Tehran, numerous other cybersecurity research firms have linked Rocket Kitten to Iranian authorities.

Rocket Kitten is a moniker of a group that has carried out spear phishing email scams fraud campaigns and malware attacks in the interest of Tehran. Countries targeted included Saudi Arabia, Israel, Yemen, and the US, and victims include defense officials, and embassies, as well as Iranian activists, journalists, and academics, according to Check Point, an American-Israeli cybersecurity firm.

Building upon previous research, Check Point showed last year Rocket Kitten’s connections to Tehran. In addition to Persian names and words in campaigns and malicious software that Check Point reviewed, the firm discovered one of the software programmers, Yaser Balaghi, said in his resume that he created spear phishing systems for the government.   

Activists and the Islamic State 

Experts have warned about Telegram’s security flaws in the past, and dissidents in other countries have also experienced account breaches. Two Russians who oppose the Kremlin said the country’s largest mobile operator, MTS, colluded with hackers to break into their Telegram accounts. The activists, Oleg Kozlovsky and Georgy Alburov, told The Moscow Times in May that their accounts were compromised when verification codes sent to their phones were intercepted.

Since IS has been known to use Telegram for propaganda, coordinating terrorist plots, and recruitment, American, Israelis, the British, and the French have all tried to gain access to different IS Telegram accounts and channels. Last week, Intsight, an Israeli cybersecurity firm, said it penetrated an IS forum on Telegram through “proprietary technology,” where it found plans to attack hundreds of US military bases.

Iran is high on IS’s hit list, as well. Tehran has supported the Assad regime in Syria, and shares borders with Iraq and Afghanistan. When asked if Iranian hackers might have tried to access IS communications, Mr. Eisenstadt of the Washington Institute said Tehran is much more worried about a counterrevolution.

“[Iranian authorities] will use every means at their disposal in order to discover potential subversive or anti-regime elements, whether they are liberal, middle-class Iranians who oppose the regime on political grounds, Salafi jihadists, or Kurdish separatists.”

 "The opposition threat is not the only threat,” he says. “But it is a significant threat.” 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Iranian hackers: Are they targeting opponents of Tehran?
Read this article in
QR Code to Subscription page
Start your subscription today