Iranian government hackers are exploiting Telegram to steal data from dissidents, opposition groups, and journalists opposed to the regime globally, according to an FBI alert published on Friday.
Initially, these hackers contact targets by posing as a known contact or tech support, convincing them to accept a link to a malicious file disguised as legitimate apps like Telegram and WhatsApp. Once installed, the second stage of the attack involves connecting the victim’s device to Telegram bots, enabling the hackers to remotely control the device, steal files, take screenshots, and record Zoom calls.
Using Telegram to remotely control devices conceals malicious activity among legitimate network traffic, complicating detection by cybersecurity defenders and anti-malware products.
Per the FBI, these hackers are allegedly working for Iran’s Ministry of Intelligence and Security (MOIS), exploiting cyberattacks to push Iran’s geopolitical agenda.
In the alert, the FBI mentioned the pro-Iranian and pro-Palestine fake hacktivist group Handala, though it’s unclear if they conducted the attacks mentioned. Earlier this month, Handala claimed responsibility for attacking medical tech giant Stryker, leading to wiping tens of thousands of employee devices. Stryker, in an 8-K filing with the U.S. SEC, reported ongoing recovery from the hack.
Last week, the U.S. Justice Department accused Handala of being a front for Iran’s government and linked to the MOIS, and responsible for the Stryker hack. Concurrently, the FBI seized websites tied to Handala and another Iranian group called “Homeland Justice.” The FBI claims these groups are controlled by the MOIS.
Neither the FBI nor Telegram provided further comments.