Iran is using chat apps to spy on its citizens
Bob Diachenko, a security researcher in Ukraine, spends part
of his days searching the internet for troves of data that aren’t secured
properly, in order to patch them up so they aren’t exploited by hackers.
Last month, he came across an unsecured server storing
information on 42 million messaging accounts, nearly all from Iran and tied to
the chat app Telegram.
There were no immediate clues as to who had obtained the
data and placed it on the server. There was only a landing page, all black,
with the logo of a white eagle and a message in Farsi.
“Welcome to the Hunting System,” it said.
Mr Diachenko said he notified an Iranian cybersecurity
agency, and soon after that, the server was taken down.
But before it vanished, other cybersleuths began their own
investigations. Ultimately, that led them to a hacking group with an unlikely
nickname – Charming Kitten – and a startling conclusion: Mr Diachenko had
stumbled across an Iranian government spying operation.
“For more than 10 years, I have been monitoring Iranian
cyber-attacks and surveillance, and I have never seen anything like this,” said
Amir Rashidi, an Iranian internet security and digital rights researcher, who
is based in New York. “They could use this to go after my relatives, my
friends, my family.”
The trove of data, portions of which were reviewed by
Bloomberg , contained usernames, phone numbers, user biographies, and unique
codes – or “hashes” – associated with the accounts stored on the server.
It’s not clear if the data was mostly from Telegram users or
from users of unofficial versions of the app that became popular after Telegram
was banned in Iran in 2018. Some of the unofficial apps, which use the same
source code as Telegram, have been previously linked to Iran’s government.
Either way, the data could be used to clone people’s
accounts and spy on private communications, identify people who are using
Telegram anonymously, or send out propaganda or disinformation aimed at
specific groups, Mr Diachenko said.
Mr Rashidi said Iran was previously known to selectively
target and hack particular people’s accounts. But the Hunting System indicates
Iranian authorities are using new and more aggressive techniques to collect and
analyse huge troves of information about their citizens, he said.
“This is the first time that I have seen evidence that they
are trying to analyse the data on a massive scale,” Mr Rashidi said.
Telegram said in an email statement that it believes the
data originated from unofficial versions of its app that are used in Iran,
which it said could have covertly harvested information about Telegram users
from people’s phones.
“The data samples which we were able to study clearly show
that the data was collected using third-party apps that stole data from their
users,” said Markus Ra, a Telegram spokesman.
“If one of your friends who has your number used a malicious
app, your number and username can end up in a database” like the Hunting
System, Mr Ra said, “even if you haven’t used that malicious app yourself.”
At least some of the user accounts in the data trove are
associated with active users of the official Telegram app, based on a review
comparing accounts on the server and on Telegram. Timestamps indicate that some
of the Telegram user records were accessed as recently as March 2020.
Iran’s Cyber Police didn’t respond to requests for comment.
Amir Nazemi, deputy minister at Iran’s Ministry of Communication and
Information Technology, said he filed a complaint about the data breach with
Iran’s attorney general’s office. He declined to comment on whether the Cyber
Police or other government agencies were involved in the Hunting System.
Mr Diachenko’s discovery of the server was reported in a computer
trade publication. Several Iranian security researchers continued delving into
the data.
One of them, Mohammad Jorjandi, who lives and works in the
US, said he discovered that the server storing the user data had been
registered to an office in northwestern Tehran by a person named Manouchehr
Hashemloo.
Using online records seen by Bloomberg, Mr Jorjandi
determined that Mr Hashemloo was using the same Gmail address used by a
well-known hacker tied to the Iranian government. The hacker, who goes by
ArYaIeIrAN, has been associated with an alleged Iranian government-sponsored
hacking group known as Charming Kitten, which has a history of targeting
Iranian dissidents, academics, journalists and human rights activists.
The people who had set up the Hunting System server, Mr
Jorjandi concluded, were probably working for the Iranian government.
ClearSky Cyber Security has also previously uncovered
several hacking operations perpetrated by ArYaIeIrAN, the alias associated with
Mr Hashemloo, and a 2017 report cited the hacker’s Gmail address and linked it
to operations carried out by Charming Kitten.
Mr Hashemloo didn’t respond to an email request for comment.
Another Iranian security researcher said that Mr Hashemloo
was “a known person in security and hacker society” in Iran whose “name was on
many Iran government cyber operations”. The researcher, who lives in Iran and
requested anonymity because of safety concerns, said the Hunting System was
probably a portal for Iran’s Cyber Police agency, which was set up in 2011 in
part to target dissident groups and government critics.
Charming Kitten’s hacking exploits have been documented by
researchers for several years.
In its 2017 report, ClearSky documented that Charming Kitten
had created fake news websites – including one named britishnews.com – and
tried to hack the computers of journalists, human rights activists and
researchers based in Europe and the Middle East.
Last year, ClearSky said the same group of hackers had
attempted to break into the email accounts of current and former US officials,
people involved with the current US presidential campaign, journalists covering
global politics and prominent Iranians living outside Iran.
“We have strong evidence to believe Charming Kitten is a
state-sponsored” hacking group in Iran, said Ohad Zaidenberg, the company’s
lead cyber intelligence researcher.
Mr Zaidenberg said he hadn’t assessed who was behind the
Hunting System. But in the past, he said, the Charming Kitten group had targeted
Telegram users. The group had previously set up a malicious website that was
designed to look like a Telegram login page, he said.
For years, Iranians have used Telegram as a means to
communicate using encryption to protect private messages. The app also allows
users to join groups where they can find out about news that is censored by
state media in the country.
After a ban on Telegram, some Iranians circumvented it by
using software such as virtual private networks, which allowed them to bypass
the country’s block on the Telegram website, according to Mr Rashidi.
Others began downloading unofficial versions of Telegram,
called Hotgram and Telegram Gold, which rely on the same underlying code as the
official app but aren’t operated by Telegram.
Security experts suspected that the unofficial apps may have
been developed by the Iranian government as a means to monitor the country’s
citizens.
In May 2019, Nassrollah Pezhmanfar, a member of Iran’s
parliament, confirmed those suspicions, stating that Telegram Gold and Hotgram
were sponsored by Iran’s intelligence and communication ministries, which he
said had spent about $90 million (Dh330m) to create them.
“It was obvious that they were connected to authorities in
Iran,” said Mahsa Alimardani, a researcher who specialises in Iran at the
Oxford Internet Institute. “They were censoring content on the platforms and
seeking to centralise control over users.”
Neither Telegram Gold or Hotgram responded to an email
message seeking comment.
Telegram has warned Iranians against using the unofficial
apps. Last year,they were removed from the Google Play Store because of
security concerns.
“Unfortunately, despite our warnings, people in Iran are
still using unverified apps,” said the Telegram spokesman. “Apps like Hotgram
or Telegram Gold are very likely to be connected to this.”
Comments
Post a Comment