Data Breach Shows Iranians Use Chat Apps to Spy, Researchers Say
By
Ryan Gallagher
April 17, 2020, 3:33 PM GMT+2
Bob Diachenko, a security researcher in Ukraine, spends part of his days
searching the internet for troves of data that aren’t secured properly, in
order to patch them up so they aren’t exploited by hackers.
Last month, he came across an
unsecured server storing information on 42 million messaging accounts, nearly
all from Iran and tied to the
chat app Telegram.
There were no immediate clues as to
who had obtained the data and placed it on the server. There was only a landing
page, all black, with the logo of a white eagle and a message in Farsi.
“Welcome to the Hunting System,” it said.
Diachenko said he notified an Iranian cybersecurity
agency, and soon after that, the server was taken down.
But before it vanished, other
cybersleuths began their own investigations. Ultimately, that led them to a
hacking group with an unlikely nickname -- Charming Kitten -- and a startling
conclusion: Diachenko had stumbled across an Iranian government spying
operation.
“For more than 10 years, I have been monitoring Iranian cyber-attacks and
surveillance, and I have never seen anything like this,” said Amir Rashidi, an Iranian internet security
and digital rights researcher, who is based in New York. “They could use this
to go after my relatives, my friends, my family.”
The trove of data, portions of
which were reviewed by Bloomberg News, contained usernames, phone numbers, user
biographies, and unique codes – or “hashes” – associated with the accounts
stored on the server.
It’s not clear if the data was
mostly from Telegram users or from users of unofficial versions of the app that
became popular after Telegram was banned in Iran in 2018. Some of
the unofficial apps, which use the same source code as Telegram, have been
previously linked to Iran’s government.
Either way, the data could be used
to clone people’s accounts and spy on private communications, identify people
who are using Telegram anonymously, or send out propaganda or disinformation
aimed at specific groups, Diachenko said.
Rashidi said Iran was previously
known to selectively target and hack particular people’s accounts. But the
Hunting System indicates Iranian authorities are using new and more aggressive techniques to
collect and analyze huge troves of information about their citizens, he said.
“This is the first time that I have seen evidence that they are
trying to analyze the data on a massive scale,” Rashidi said.
Telegram said in an email statement
that it believes the data originated from unofficial versions of its app that
are used in Iran, which it said
could have covertly harvested information about Telegram users from people’s
phones.
“The data samples which we were able to study clearly show that
the data was collected using third-party apps that stole data from their
users,” said Markus Ra, a Telegram spokesman.
“If one of your friends who has your number used a malicious app,
your number and username can end up in a database” like the Hunting System, Ra
said, “even if you haven’t used that malicious app yourself.”
At least some of the user accounts
in the data trove are associated with active users of the official Telegram
app, based on a review comparing accounts on the server and on Telegram.
Timestamps indicate that some of the Telegram user records were accessed as
recently as March 2020.
Iran’s Cyber Police didn’t respond to requests for comment. Amir
Nazemi, deputy minister at Iran’s Ministry of Communication and Information Technology, said he
filed a complaint about the data breach with Iran’s attorney
general’s office. He declined to comment on whether the Cyber Police or other
government agencies were involved in the Hunting System.
Diachenko’s discovery of the server was reported in a computer
trade publication. Several Iranian security researchers continued delving into the data.
One of them, Mohammad Jorjandi, who
lives and works in the U.S., said he discovered that the server storing the
user data had been registered to an office in northwestern Tehran by a person named
Manouchehr Hashemloo.
Using online records seen by
Bloomberg News, Jorjandi determined that Hashemloo was using the same Gmail
address used by a well-known hacker tied to the Iranian government. The
hacker, who goes by ArYaIeIrAN, has been associated with an alleged Iranian government-sponsored
hacking group known as Charming Kitten, which has a history of targeting Iranian dissidents, academics, journalists and human rights activists.
The people who had set up the
Hunting System server, Jorjandi concluded, were probably working for the Iranian government.
ClearSky Cyber Security has also previously uncovered several hacking operations
perpetrated by ArYaIeIrAN, the alias associated with Hashemloo, and a 2017 report cited the
hacker’s Gmail address and linked it to operations carried out by Charming
Kitten.
Hashemloo didn’t respond to an
email request for comment.
Another Iranian security
researcher said that Hashemloo was “a known person in security and hacker
society” in Iran whose “name was
on many Iran government cyber
operations.” The researcher, who lives in Iran and requested
anonymity because of safety concerns, said the Hunting System was probably a
portal for Iran’s Cyber Police agency,
which was set up in 2011 in part to target dissident groups and government
critics.
Charming Kitten’s hacking exploits
have been documented by researchers for several years.
In its 2017 report, ClearSky
documented that Charming Kitten had created fake news websites – including one
named britishnews.com – and tried to hack the computers of journalists, human rights activists and
researchers based in Europe and the Middle East.
Last year, ClearSky said the same
group of hackers had attempted to break into the email accounts of current and
former U.S. officials, people
involved with the current U.S. presidential campaign, journalists covering global politics and
prominent Iranians living outside Iran.
“We have strong evidence to believe Charming Kitten is a
state-sponsored” hacking group in Iran, said Ohad Zaidenberg, the company’s lead cyber intelligence
researcher.
Zaidenberg said he hadn’t assessed
who was behind the Hunting System. But in the past, he said, the Charming
Kitten group had targeted Telegram users. The group had previously set up a
malicious website that was designed to look like a Telegram login page, he said.
For years, Iranians have used
Telegram as a means to communicate using encryption to protect private
messages. The app also allows users to join groups where they can find out
about news that is censored by state media in the country.
After a ban on Telegram, some Iranians circumvented it
by using software such as virtual private networks, which allowed them to
bypass the country’s block on the Telegram website, according to Rashidi.
Others began downloading unofficial
versions of Telegram, called Hotgram and Telegram Gold, which rely on the same
underlying code as the official app but aren’t operated by Telegram.
Security experts suspected that the
unofficial apps may have been developed by the Iranian government as a
means to monitor the country’s citizens.
In May 2019, Nassrollah Pezhmanfar,
a member of Iran’s parliament, confirmed those suspicions, stating that Telegram Gold and Hotgram were sponsored by Iran’s intelligence and
communication ministries, which he said had spent about $90 million to create them.
“It was obvious that they were connected to authorities in Iran,” said Mahsa Alimardani, a researcher who
specializes in Iran at the Oxford Internet Institute. “They were censoring content
on the platforms and seeking to centralize control over users.”
Neither Telegram Gold or Hotgram
responded to an email message seeking comment.
Telegram has warned Iranians against using the
unofficial apps. Last year,they were removed from the Google Play Store because
of security concerns.
“Unfortunately, despite
our warnings, people in Iran are still using unverified apps,” said Ra, the Telegram
spokesman. “Apps like Hotgram or Telegram Gold are very likely to be connected
to this.”
پیش بسوی قیام سراسری ، ما بر اندازیم# کانونهای شورشی در شهرهای ایران # #Iran
#سال_سرنگونی #ایران #کروناویروس #قیام_تا_پیروزی #coronavirus
اعتصاب واعتراض #شورش #زندانیان ، تظاهرات# سرنگونی #COVID2019 # اتحادوهمبستگی - مرگ_بر_دیکتاتور #مجاهدین خلق ایران
