Iranian Hackers Found Way Into Encrypted Apps, Researchers Say

An anonymous reader quotes a report from The New York Times: Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems -- a capability Iran was not previously known to possess, according to two digital security reports released Friday. The operation not only targets domestic dissidents, religious and ethnic minorities and antigovernment activists abroad, but can also be used to spy on the general public inside Iran, said the reports byCheck Point Software Technologies, a cybersecurity technology firm, andthe Miaan Group, a human rights organization that focuses on digital security in the Middle East.

The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said. [...] According to the report by Check Point's intelligence unit, the cyberespionage operation was set up in 2014, and its full range of capabilities went undetected for six years. Miaan traced the first the operation to February 2018 from a malicious email targeting a Sufi religious group in Iran after a violent confrontation between its members and Iranian security forces. It traced the malware used in that attack and further attacks in June 2020 to a private technology firm in Iran's northeast city of Mashhad named Andromedaa. Miaan researchers determined that Andromedaa had a pattern of attacking activists, ethnic minority groups and separatist opposition groups but also had developed phishing and malware tools that could target the general public.

The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report. [...] According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets. [...] The spyware enabled the attackers to gain access to almost any file, log clipboard data, take screenshots and steal information. According to Miaan, one application empowered hackers to download data stored on WhatsApp. In addition, the attackers discovered a weakness in the installation protocols of several encrypted applications including Telegram, which had always been deemed relatively secure, enabling them to steal the apps' installation files. These files, in turn, allow the attackers to make full use of the victims' Telegram accounts. "Although the attackers cannot decipher the encrypted communications of Telegram, their strategy makes it unnecessary," the report adds. "Rather, they use the stolen installation files to create Telegram logins to activate the app in the victims' names on another device. This enables the attackers to secretly monitor all Telegram activity of the victims."

Re:

[DontBeAMoran]

Everything will get cracked.

Especially crackers.

Re:

[Arthur, KBE]

I don't know one way or the other if Iran has the capabilities to pull this off natively, but there's plenty of companies that can provide these capabilities to the highest bidder.

Re:

[arglebargle_xiv]

In particular:

Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems -- a capability Iran was not previously known to possess

They used social engineering and trojans to walk around the crypto, you need to assume that any and every country and state has capabilities to do this because it's such a valuable source of information for them. So the story is interesting, but the "I am shocked, shocked I tell you that Iran can do this" isn't.

So "secure" Telegram is.

[Khyber]

"create Telegram logins to activate the app in the victims' names on another device"

Basic security, device login authentication. Easily two decades old concept by now.

And people trust the encryption while this shit has been wide open since inception of the software.

Re:

[SuricouRaven]

The vague description of 'installation files' suggests that the attack involves some sort of credential theft. Perhaps from a cloud backup service? It'll be really awkward if that turns out to be one of the big players like Apple or Google, but what are they supposed to do - refuse to comply with a legal order in Iran and be banned from the country entirely? Or maybe the spy agency is actually getting access to the device through old-fashioned low-tech means, like quietly breaking into someone's house and s

Last I checked

[nehumanuscrede]

Anytime you attempt to log into a Telegram account from a different device, an access code is sent ( via Telegram ) to the account holder
( on the device the account is already logged into ) which has to be input before the account is accessible from the new device.

So, unless they have physical access to the existing device where the Telegram account is already running, I'm not quite following how they
could simply log in as the same user on a different device without knowing said access code.

Eg: I want to run Telegram on a mobile phone. I download the app and before it lets me log into the account, it sends an access code to the
existing Telegram session on my desktop. I input said code into the phone and voila, I now have it on both devices. No code = no login on new device.

In addition, you can see how many sessions Telegram is running on for your account pretty easily. A quick glance at mine shows it's running on
my desktop and my phone with the ability to force close all other sessions if you wish to do so.

Re:

[SuricouRaven]

How many people have ever checked that number? Hopefully a few more people will now.

Re:

[amorsen]

If the first device is root compromised, that security is trivially bypassed.

Re:

[rtb61]

Actually, ALL ANDROID devices are root compromised. The user can not easily gain access to root, so when they are phished, an the naughty application they installed gains access to root, the user is blocked from undoing it (the design intent, they wanted to be able to sell Android devices in one state, then update and backdoor and keep the user from readily undoing it). Of course if you know you are being monitored you can just add all sorts of silliness to that monitoring, funny stuff like express yourself

Not my field of expertise, but...

[BankRobberMBA]

Two things jumped out at me.

First, this might depend on the Attacker being able to 'influence' the telecommunications provider. It strikes me that all of the alleged victims are inside Iran, when there are BUTTLOADS of people outside Iran that the regime would LOVE to observe more closely.

Second, imagine this is the other way around:

Eg: I want to run Telegram on a mobile phone. I download the app and before it lets me log into the account, it sends an access code to the
existing Telegram session on my desktop.

It seems way more likely (to me at least, with admittedly no evidence) that Victim is running the service on their phone. Once Attacker has extracted the 'installation files'

This is not "a way into encrypted apps"

[Mr. Dollar Ton]

This is a way around encrypted apps, using social engineering and, by the description of it, bugs in either the phone OS, or backups, which allowed access to the so-called "installation files".

Not sure at all why Telegram is singled out as 'hacked', when it seems from TFS that it was not.

Overall, this looks more like an attack on Telegram than anyone else.

Re:

[John.Banister]

I think it's been singled out because it's the thing the NYT considers that the greatest number of Iranians use to protect themselves from this sort of surveillance.

Re:

[1s44c]

Apparently the US has technology to identify the nationality of anyone over the internet with 100% confidence.

Re:propaganda

[DontBeAMoran]

They'll never be able to identify my nationality, eh?

smart approach

[znrt]

this will get funny.

No, they didn't

[campuscodi]

Article is wrong. Nobody bypassed in-transit encryption. They just gained access to the device, where the data needs to be decrypted so the user sees it.

Hey..It’s not convenient out here

[AuroraMuffy]

Hey..It’s not convenient out here. Why don’t we chat there ==>> http://gg.gg/m6fxm [gg.gg]

Attack of the Islamo Cyber Fascists :]

[minorityreport]

Chinese/Russian/Korean/Iranian hackers .. have been running a vast cyberespionage operation utilising backdoors we installed and equipped with surveillance tools that we sold them, according to a CIA front.

oh look - New York times peddling Iran 'news'

[BardBollocks]

The kind of shit we've been enabling brutal regimes like Saudi Arabia and Israel to do Iran is beginning to be able to do as well? kinda sorta?

I guess when your computing policy is to "Collect Everything" regardless of the security implications, to the point of not only refusing to notify vendors of security flaws but to develop cyberweapons using those flaws eventually the IT experts in (insert enemy state here) will try and detect them and use them too.

These idiotic policies CLEARLY do not make us safer -

os

[fluffernutter]

How can encryption ever protect you if you let people get access to your device? This is an OS failure, not an app failure.