Iranian hackers using Telegram to steal data, says FBI
What's the story
The Federal Bureau of Investigation (FBI) has issued a warning about Iranian government hackers using the messaging platform Telegram to conduct cyber attacks. The attacks are targeted at dissidents, opposition groups, and journalists critical of the regime worldwide. The first stage of these attacks involves hackers posing as known contacts or tech support to trick their targets into clicking on links to malicious files, disguised as legitimate apps like Telegram and WhatsApp.
Attack strategy
Hackers hide malicious activity among legitimate network traffic
Once the target installs the malware, the second stage of the attack is triggered. This connects the infected victim with Telegram bots, giving hackers remote access and control over their computers. This method is often used by hackers to hide malicious activity among legitimate network traffic, making it difficult for cybersecurity defenders and anti-malware products to detect.
Suspected involvement
Cyber attacks part of Iranian regime's geopolitical agenda
The FBI has linked these cyber attacks to hackers working for Iran's Ministry of Intelligence and Security (MOIS). The bureau said these incidents are part of a broader effort by Iranian government hackers to further the regime's "geopolitical agenda." The alert also mentioned Handala, a pro-Iranian and pro-Palestine hacktivist group, although it remains unclear if this group was involved in the attacks.
Past actions
Handala claimed responsibility for attack on Stryker
Earlier this month, Handala had claimed responsibility for an attack on medical tech giant Stryker. The incident resulted in the wiping of tens of thousands of employee devices. In an 8-K filing with the US Securities and Exchange Commission, Stryker said it is still recovering from the hack. Last week, the US Justice Department accused Handala of being a front for Iran's government and MOIS, and behind the Stryker hack.