The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.
Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc's (FB.O) WhatsApp, say they have similar capabilities.
Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.
Telegram's vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.
Armed with the codes, the hackers can add new devices to a person's Telegram account, enabling them to read chat histories as well as new messages.
"We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company," Anderson said in an interview.
Telegram's reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.
A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows - though it does not require - customers to create passwords, which can be reset with so-called "recovery" emails.
"If you have a strong Telegram password and your recovery email is secure, there's nothing an attacker can do," said Markus Ra, the spokesman.
Iranian officials were not available to comment. Iran has in the past denied government links to hacking.
ROCKET KITTEN
The Telegram hackers, the researchers said, belonged to a group known as Rocket Kitten, which used Persian-language references in their code and carried out "a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus."
Anderson and Guarnieri declined to comment on whether the hackers were employed by the Iranian government. Other cyber experts have said Rocket Kitten's attacks were similar to ones attributed to Iran's powerful Revolutionary Guards.
The researchers said the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.
"We see instances in which people ... are targeted prior to their arrest," Anderson said. "We see a continuous alignment across these actions."
The researchers said they also found evidence that the hackers took advantage of a programing interface built into Telegram to identify at least 15 million Iranian phone numbers with Telegram accounts registered to them, as well as the associated user IDs. That information could provide a map of the Iranian user base that could be useful for future attacks and investigations, they said.
"A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation" has never been exposed before, Guarnieri said.
Ra said Telegram has blocked similar "mapping" attempts in the past and was trying to improve its detection and blocking strategies.
Cyber experts say Iranian hackers have become increasingly sophisticated, able to adapt to evolving social media habits. Rocket Kitten's targets included members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents, U.S.-Israeli security firm Check Point said last November.
POPULAR IN THE MIDDLE EAST
Telegram was founded in 2013 by Pavel Durov, known for starting VKontakte, Russia's version of Facebook, before fleeing the country under pressure from the government.
While Facebook and Twitter are banned in Iran, Telegram is widely used by groups across the political spectrum. They shared content on Telegram "channels" and urged followers to vote ahead of Iran's parliamentary elections in February 2016.
Last October, Durov wrote in a post on Twitter that Iranian authorities had demanded the company provide them with "spying and censorship tools." He said Telegram ignored the request and was blocked for two hours on Oct. 20, 2015.
Ra said the company has not changed its stance on censorship and does not maintain any servers in Iran.
After complaints from Iranian activists, Durov wrote on Twitter in April that people in "troubled countries" should set passwords for added security.
Amir Rashidi, an internet security researcher at the New York-based International Campaign for Human Rights in Iran, has worked with Iranian hacking victims. He said he knew of Telegram users who were spied on even after they had set passwords.
Ra said that in those cases the recovery email had likely been hacked.
Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas on Thursday. Their complete research is set to be published by the Carnegie Endowment for International Peace, a Washington-based think tank, later this year.
路透社援引网络安全研究人员的消息报道,伊朗黑客入侵了数十个 Telegram 用户账号,识别出1500万伊朗用户的电话号码。Telegram 发表官方博客否认它的平台遭到入侵,称攻击者利用的是消息应用的检查机制,该机制允许任何人检查一个电话号码是否在系统中注册了,其它基于联系人的应用如 WhatsApp 和 Messenger都存在该问题。路透社报道称,Telegram 在伊朗大约有2000万用户,这次攻击发生在今年,此前没有报道过,可能会危及到伊朗活动人士、记者和其他敏感人士的通信。Telegram 称这些被识别出的用户账号并没有被攻击者访问过,表示它已经在API中设限阻止大规模的检查注册电话号码。