BGP attacks hijack Telegram traffic in Iran

With so many users in Iran, it's unsurprising that potentially state-sponsored groups would want an access point into the banned app.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a string of campaigns against Telegram and Instagram users including the hijack of traffic through the BGP protocol.

The threat actors behind the attacks -- whether state-sponsored or otherwise -- are focusing exclusively on citizens of Iran that use either the encrypted messaging app or image-sharing service.

According to the Cisco Talos cybersecurity team, the campaigns have been active since 2017 and are ongoing against roughly 40 million Telegram users in the country -- despite the app being banned in Iran -- at the least.

In a blog post on Monday, the researchers said Iranian users have been targeted through fake login pages, malicious apps designed to appear like their legitimate counterparts, and through BGP hijacking, the takeover of the Border Gateway Protocol to reroute Internet traffic.

The first method detected by Talos is the creation of Telegram clones which are made available for download outside of legitimate app repositories such as Google Play.

See also: Bleedingbit zero-day chip flaws may expose majority of enterprises to remote code execution attacks

If installed, these apps gain access to the mobile device's contact lists. Fake Instagram apps, promoted in the same way, are able to send full session data back to command-and-control (C2) servers, which the researchers say can "allow the attacker to take full control of the account in use."

However, Talos believes these apps should be considered grayware rather than full, malicious packages. The apps erode user privacy, but they do not perform any other malicious actions and generally perform as the users expect.

Another method spotted by Talos is the creation of fake login pages to fool those with a limited knowledge of cybersecurity.

Other attacks are focused on compromising the BGP protocol.

Talos detected strange routing and update activity which suggested BGP hijacking was taking place, which the team says were most likely a "deliberate act targeting Telegram-based services in the region."

CNET: Hackers reportedly target election officials, voter data ahead of midterms

"This technique redirects the traffic of all routers, without the device considering the original of those new routes," Talos says. "In order to hijack BGP, there needs to be some sort of cooperation from an internet service provider (ISP), and is easily detectable, so the new routes won't be in place for very long."

The protocol acts as the backbone for Internet traffic routed through ISPs and cloud services and has already been used as a conduit for attacks against Telegram, made possible by the state-owned ISP Telecommunication Company of Iran.

It was also suggested at the time that telecommunications companies provided the government with the Telegram SMS verification codes required to access user accounts.

Iranian officials promised to investigate the former case but have remained silent on the latest evidence of BGP hijacking.

BGP attacks are not uncommon, with Amazon Web Services, Facebook, Apple, Microsoft, and YouTube all becoming victims in recent years.

TechRepublic: Evolving threats to Mac environments

BGP attacks cannot be defended against by standard users, but fake apps are another matter. A technique that the threat actors use to entice the download and installation of the malicious apps is the marketing of the software with "enhanced functionality," but to stay safe, you should download your apps only from legitimate stores which have security procedures in place.

This investigation was focused on Iran due to the current ban on Telegram," the researchers said. "However, these techniques could be used by any malicious actor, being with or without state sponsorship."

The threat of BGP hijacking is not only present in Iran. Last month, researchers said that a Chinese state-owned telecommunications company has been conducting BGP attacks for cyberespionage purposes in the West.

Our top choices for tech gifts

Previous and related coverage

Editorial standards