A hacking group with suspected links to the Iranian security services has reportedly compromised the phone numbers of 15 million Telegram users in Iran and over a dozen individual chat accounts on the encrypted platform, according to Reuters.
The notorious cybercrime collective implicated is dubbed 'Rocket Kitten' and is known to target dissidents, politicians and journalists with sophisticated spearphishing tactics. Analysis from security firm Checkpoint previously found the group to be "aligned with nation-state intelligence interests".
Now, based on fresh research from two experts, Collin Anderson and Claudio Guarnieri, a Telegram vulnerability is reportedly being exploited in a way that could 'map' users of the popular application, which offers encrypted chats and messaging features to roughly 20 million users in Iran.
The security flaw, according to Anderson and Guarnieri, and exclusively reported by Reuters, relates to how Telegram uses SMS text messages to activate new devices.
When a user logs onto the service from a new smartphone, Telegram sends an authorisation code via text message and the researchers claim these codes are being intercepted by state-owned phone companies in Iran and potentially shared with the hacking group.
With these authorisation codes, hackers are then able to covertly add new devices to a target's Telegram account and snoop on messages, the researchers claimed.
"We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like, basically, coordination with the cellphone company," Anderson told Reuters in an interview.
The researchers claim to have found evidence the hackers used a "programing interface built into Telegram" to identify 15 million Iranian phone numbers and linked ID numbers registered with the platform, which they said could be used in future "attacks and investigations".
Telegram encrypted messaging app
Telegram has roughly 20m users in IranTelegram
According to Guarnieri, this is the first time such a "systematic de-anonymisation and classification" of people using encrypted messaging applications has been exposed.
Markus Ra, spokesperson for Telegram said: "If you have a strong Telegram password and your recovery email is secure, there's nothing an attacker can do." He continued by saying that customers can also make use of passwords on their accounts for an extra layer of protection.
The researchers, who are set to reveal more details during the Las Vegas Black Hat conference on 4 August, said the Telegram victims included political activists involved in "reformist movements and opposition organisations" but they did not elaborate further.
Anderson and Guarnieri also declined to comment on whether the hackers were employed by the Iranian government. However, Anderson admitted: "We see instances in which people [...] are targeted prior to their arrest. We see a continuous alignment across these actions."
Previously, two intelligence officials from Europe and the Middle East, separately told the Financial Times that Rocket Kitten shared links with the Islamic Revolutionary Guard Corps (IRGC), which is said to routinely conduct cyber-warfare against government agencies across the world, especially the US.