Iran is using chat apps to spy on its citizens, researchers say

Bob Diachenko, a security researcher in Ukraine, spends part of his days searching the internet for troves of data that aren’t secured properly, in order to patch them up so they aren’t exploited by hackers.

Last month, he came across an unsecured server storing information on 42 million messaging accounts, nearly all from Iran and tied to the chat app Telegram.

There were no immediate clues as to who had obtained the data and placed it on the server. There was only a landing page, all black, with the logo of a white eagle and a message in Farsi.

“Welcome to the Hunting System,” it said.

Mr Diachenko said he notified an Iranian cybersecurity agency, and soon after that, the server was taken down.

But before it vanished, other cybersleuths began their own investigations. Ultimately, that led them to a hacking group with an unlikely nickname – Charming Kitten – and a startling conclusion: Mr Diachenko had stumbled across an Iranian government spying operation.

“For more than 10 years, I have been monitoring Iranian cyber-attacks and surveillance, and I have never seen anything like this,” said Amir Rashidi, an Iranian internet security and digital rights researcher, who is based in New York. “They could use this to go after my relatives, my friends, my family.”

The trove of data, portions of which were reviewed by Bloomberg , contained usernames, phone numbers, user biographies, and unique codes – or “hashes” – associated with the accounts stored on the server.

It’s not clear if the data was mostly from Telegram users or from users of unofficial versions of the app that became popular after Telegram was banned in Iran in 2018. Some of the unofficial apps, which use the same source code as Telegram, have been previously linked to Iran’s government.

Either way, the data could be used to clone people’s accounts and spy on private communications, identify people who are using Telegram anonymously, or send out propaganda or disinformation aimed at specific groups, Mr Diachenko said.

Mr Rashidi said Iran was previously known to selectively target and hack particular people’s accounts. But the Hunting System indicates Iranian authorities are using new and more aggressive techniques to collect and analyse huge troves of information about their citizens, he said.

“This is the first time that I have seen evidence that they are trying to analyse the data on a massive scale,” Mr Rashidi said.

Telegram said in an email statement that it believes the data originated from unofficial versions of its app that are used in Iran, which it said could have covertly harvested information about Telegram users from people’s phones.

“The data samples which we were able to study clearly show that the data was collected using third-party apps that stole data from their users,” said Markus Ra, a Telegram spokesman.

“If one of your friends who has your number used a malicious app, your number and username can end up in a database” like the Hunting System, Mr Ra said, “even if you haven’t used that malicious app yourself.”

At least some of the user accounts in the data trove are associated with active users of the official Telegram app, based on a review comparing accounts on the server and on Telegram. Timestamps indicate that some of the Telegram user records were accessed as recently as March 2020.

Iran’s Cyber Police didn’t respond to requests for comment. Amir Nazemi, deputy minister at Iran’s Ministry of Communication and Information Technology, said he filed a complaint about the data breach with Iran’s attorney general’s office. He declined to comment on whether the Cyber Police or other government agencies were involved in the Hunting System.

Mr Diachenko’s discovery of the server was reported in a computer trade publication. Several Iranian security researchers continued delving into the data.

One of them, Mohammad Jorjandi, who lives and works in the US, said he discovered that the server storing the user data had been registered to an office in northwestern Tehran by a person named Manouchehr Hashemloo.

Using online records seen by Bloomberg, Mr Jorjandi determined that Mr Hashemloo was using the same Gmail address used by a well-known hacker tied to the Iranian government. The hacker, who goes by ArYaIeIrAN, has been associated with an alleged Iranian government-sponsored hacking group known as Charming Kitten, which has a history of targeting Iranian dissidents, academics, journalists and human rights activists.

The people who had set up the Hunting System server, Mr Jorjandi concluded, were probably working for the Iranian government.

ClearSky Cyber Security has also previously uncovered several hacking operations perpetrated by ArYaIeIrAN, the alias associated with Mr Hashemloo, and a 2017 report cited the hacker’s Gmail address and linked it to operations carried out by Charming Kitten.

Mr Hashemloo didn’t respond to an email request for comment.

Another Iranian security researcher said that Mr Hashemloo was “a known person in security and hacker society” in Iran whose “name was on many Iran government cyber operations”. The researcher, who lives in Iran and requested anonymity because of safety concerns, said the Hunting System was probably a portal for Iran’s Cyber Police agency, which was set up in 2011 in part to target dissident groups and government critics.

Charming Kitten’s hacking exploits have been documented by researchers for several years.

In its 2017 report, ClearSky documented that Charming Kitten had created fake news websites – including one named britishnews.com – and tried to hack the computers of journalists, human rights activists and researchers based in Europe and the Middle East.

Last year, ClearSky said the same group of hackers had attempted to break into the email accounts of current and former US officials, people involved with the current US presidential campaign, journalists covering global politics and prominent Iranians living outside Iran.

“We have strong evidence to believe Charming Kitten is a state-sponsored” hacking group in Iran, said Ohad Zaidenberg, the company’s lead cyber intelligence researcher.

Mr Zaidenberg said he hadn’t assessed who was behind the Hunting System. But in the past, he said, the Charming Kitten group had targeted Telegram users. The group had previously set up a malicious website that was designed to look like a Telegram login page, he said.

For years, Iranians have used Telegram as a means to communicate using encryption to protect private messages. The app also allows users to join groups where they can find out about news that is censored by state media in the country.

After a ban on Telegram, some Iranians circumvented it by using software such as virtual private networks, which allowed them to bypass the country’s block on the Telegram website, according to Mr Rashidi.

Others began downloading unofficial versions of Telegram, called Hotgram and Telegram Gold, which rely on the same underlying code as the official app but aren’t operated by Telegram.

Security experts suspected that the unofficial apps may have been developed by the Iranian government as a means to monitor the country’s citizens.

In May 2019, Nassrollah Pezhmanfar, a member of Iran’s parliament, confirmed those suspicions, stating that Telegram Gold and Hotgram were sponsored by Iran’s intelligence and communication ministries, which he said had spent about $90 million (Dh330m) to create them.

“It was obvious that they were connected to authorities in Iran,” said Mahsa Alimardani, a researcher who specialises in Iran at the Oxford Internet Institute. “They were censoring content on the platforms and seeking to centralise control over users.”

Neither Telegram Gold or Hotgram responded to an email message seeking comment.

Telegram has warned Iranians against using the unofficial apps. Last year,they were removed from the Google Play Store because of security concerns.

“Unfortunately, despite our warnings, people in Iran are still using unverified apps,” said the Telegram spokesman. “Apps like Hotgram or Telegram Gold are very likely to be connected to this.”