Researchers announced Friday that they had discovered a “large-scale” six-year campaign by Iranian-linked hackers to surveil Iranian dissidents and expats, including through targeting accounts on the instant messaging app Telegram.
A report released by Check Point Software Technologies said that, beginning as early as 2014, Iranian entities targeted government dissidents including resistance group Mujahedin-e Khalq and the Azerbaijan National Resistance Organization through attacking their mobile devices and personal computers.
“The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime,” Check Point researchers wrote in the report.
The Iranian-linked hackers used multiple methods to surveil and attack the victims, including an Android back door that posed as a service for Persian speakers in Sweden to apply for a driver’s license, extracting two-factor authentication codes from SMS messages, recording the audio surroundings of a phone, and hijacking Telegram accounts.
Check Point researchers noted that the surveillance and hacking effort was likely part of an “effort to collect intelligence on potential opponents to the regime.”
Lotem Finkelsteen, manager of threat intelligence at Check Point, said Friday that in light of the findings, Telegram was “clearly hijack-able,” emphasizing that “instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of.”
“The mobile, PC and web phishing attacks are all connected to the same operation,” Finkelsteen said in a statement. “Meaning, these operations are managed according to intelligence and national interests, as opposed to technological challenges. We will continue to monitor different geographies across the world to better inform the public around cyber security.”
The findings were published on the heels of a flurry of actions taken by the Trump administration this week to crack down on Iranian-linked malicious hacking efforts.
The Treasury Department on Thursday sanctioned 45 Iranians and two hacking groups for allegedly targeting Iranian dissidents, with the agency noting that some victims were eventually arrested and subjected to physical and psychological abuse.
And Justice Department announced indictments against Iranian nationals linked to malicious cyber efforts targeted at satellite companies and against those accused of stealing hundreds of terabytes of data from U.S. and international companies on behalf of the Iranian government.