A hacking group with suspected links to the Iranian security services has reportedly compromised the phone numbers of 15 million Telegram users in Iran and over a dozen individual chat accounts on the encrypted platform, according to Reuters.
The notorious cybercrime collective implicated is dubbed 'Rocket Kitten' and is known to target dissidents, politicians and journalists with sophisticated spearphishing tactics. Analysis from security firm Checkpoint previously found the group to be "aligned with nation-state intelligence interests".
Now, based on fresh research from two experts, Collin Anderson and Claudio Guarnieri, a Telegram vulnerability is reportedly being exploited in a way that could 'map' users of the popular application, which offers encrypted chats and messaging features to roughly 20 million users in Iran.
The security flaw, according to Anderson and Guarnieri, and exclusively reported by Reuters, relates to how Telegram uses SMS text messages to activate new devices.
When a user logs onto the service from a new smartphone, Telegram sends an authorisation code via text message and the researchers claim these codes are being intercepted by state-owned phone companies in Iran and potentially shared with the hacking group.
With these authorisation codes, hackers are then able to covertly add new devices to a target's Telegram account and snoop on messages, the researchers claimed.
"We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like, basically, coordination with the cellphone company," Anderson told Reuters in an interview.
The researchers claim to have found evidence the hackers used a "programing interface built into Telegram" to identify 15 million Iranian phone numbers and linked ID numbers registered with the platform, which they said could be used in future "attacks and investigations".
According to Guarnieri, this is the first time such a "systematic de-anonymisation and classification" of people using encrypted messaging applications has been exposed.
Markus Ra, spokesperson for Telegram said: "If you have a strong Telegram password and your recovery email is secure, there's nothing an attacker can do." He continued by saying that customers can also make use of passwords on their accounts for an extra layer of protection.
The researchers, who are set to reveal more details during the Las Vegas Black Hat conference on 4 August, said the Telegram victims included political activists involved in "reformist movements and opposition organisations" but they did not elaborate further.
Anderson and Guarnieri also declined to comment on whether the hackers were employed by the Iranian government. However, Anderson admitted: "We see instances in which people [...] are targeted prior to their arrest. We see a continuous alignment across these actions."
Previously, two intelligence officials from Europe and the Middle East, separately told the Financial Times that Rocket Kitten shared links with the Islamic Revolutionary Guard Corps (IRGC), which is said to routinely conduct cyber-warfare against government agencies across the world, especially the US.
Update (3 August 2016): Telegram has released a statement following the researchers' claims. It denied the assertion that 15 million phone numbers had been compromised.
It said: "Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.
"However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.).
"As for the reports that several accounts were accessed earlier this year by intercepting SMS-verification codes, this is hardly a new threat as we've been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verification specifically to defend users in such situations."