Hackers Breached Telegram, Email Accounts of 20 Israeli Crypto Execs: Report

by Rachel McIntosh
  • Cybersecurity firm Pandora says that the hacks were the result of an "SMSC spoofing attack."
Hackers Breached Telegram, Email Accounts of 20 Israeli Crypto Execs: Report
Bloomberg
Join our Crypto Telegram channel

Hackers targeted approximately 20 Israeli cryptocurrency executives in early September, demanding Payments of digital currency after hacking into their phones and stealing their identities. Israeli news source Haaretz reported that the cyberattack, which ultimately did not result in any lost funds, may have been carried out by a state-sponsored team.

According to Haaretz, the failed attack also involved a major telecom company, a Cybersecurity firm called Pandora, and “perhaps even the Israeli Shin Bet”, the Israeli internal security service that is known as the Israel Security Agency, Mossad and Israel’s National Cyber Security Authority were additionally involved in the investigation.

The story began on September 7th, when Tzahi Ganot, co-founder of Pandora Security, a cyber consulting company specializing in protection for executives in sensitive positions, said that his company was approached by “a new client.”

Within 24 hours, Ganot Was Flooded with Messages Reporting Similar Attacks

The man was “a deputy chief financial officer of a company who said his mobile phone had been hacked during the night, and that his Telegram account and perhaps other accounts had been breached,” Ganot told Haaretz.

By that point, “the hackers [had] sent messages to this man’s contacts from his Telegram account in his name and asked them to send cryptocurrency,” Ganot explained. At that point, “we sent the executive a price offer and I tried to figure out with my partner how his phone had been hacked – whether it was by duplication of his SIM card or by installing a malware application onto his phone.”

While cryptocurrency-related hacks are a somewhat common occurrence, Ganot said that the fact that the hacker was able to breach the man’s Telegram accounts was somewhat unusual, not a simple task for a hacker.

That same day, Ganot said that his firm “sent a report of the case to our clients and to a few digital currency groups we are members of.”

However, by the next morning, “I was flooded with messages from people I know and from some I don’t, all with similar complaints of being hacked.”

Ganot explained that the hacker had managed to compromise the phones of approximately 20 executives of Israeli companies, all of them either CEOs or vice-CEOs who run digital currency firms. Additionally, “all of the victims were clients of [Israeli telecommunications giant] Partner,” Ganot said.

The Hacker Managed to Breach 20 CEO’s and Vice-CEO’s Telegram Accounts – Not a Simple Task

Many of the executives had their Telegram apps hacked; others had their Gmail and Yahoo mail accounts breached.

How did the hacker manage to break into the accounts? “The identity theft used the phone to conduct a user verification process with the help of SMS,” Ganot explained, referring to the SMS identity verification method that is used by countless digital services, including Telegram.

If a Telegram user has difficulty accessing their account, they can choose to receive a temporary code by SMS and use it to enter the service and replace their password. This is what the hacker was able to access.

Usually, hackers are able to access these SMS messages through duplicating unsuspecting users’ SIM cards. However, this time, the attackers seem to have hijacked the SMS messages sent by Partner, which might explain why all of the executives were Partner’s clients.

“Stealing a user’s SMS messages is not simple and isn’t supposed to be accessible to private individuals,” Ganot explained. This is why SMS verification is generally considered to be fairly secure.

The Method Behind the Madness: Hackers Seem to Have Impersonated Foreign Cellular Networks

Ultimately, Pandora’s investigation revealed that the incident was most likely an 'SMSC spoofing attack', which takes advantage of a phone’s data roaming function, Ganot said.

This kind of attack requires access to a foreign cellular network that interacts directly with Israeli cellular networks: “the hackers send a message from a foreign cell network to an Israeli one, updating the client’s location,” Ganot explained.

“For example: ‘The client has just landed in Tbilisi, he has registered with our network. Please route his SMS messages via this network.’” The plan managed to be so effective because “this is a necessary procedure for people entering a foreign country, whose cell phones are in ‘roaming’ mode.”

“It’s a rare assault,” Ganot said.

Diabolical.

Hackers targeted approximately 20 Israeli cryptocurrency executives in early September, demanding Payments of digital currency after hacking into their phones and stealing their identities. Israeli news source Haaretz reported that the cyberattack, which ultimately did not result in any lost funds, may have been carried out by a state-sponsored team.

According to Haaretz, the failed attack also involved a major telecom company, a Cybersecurity firm called Pandora, and “perhaps even the Israeli Shin Bet”, the Israeli internal security service that is known as the Israel Security Agency, Mossad and Israel’s National Cyber Security Authority were additionally involved in the investigation.

The story began on September 7th, when Tzahi Ganot, co-founder of Pandora Security, a cyber consulting company specializing in protection for executives in sensitive positions, said that his company was approached by “a new client.”

Within 24 hours, Ganot Was Flooded with Messages Reporting Similar Attacks

The man was “a deputy chief financial officer of a company who said his mobile phone had been hacked during the night, and that his Telegram account and perhaps other accounts had been breached,” Ganot told Haaretz.

By that point, “the hackers [had] sent messages to this man’s contacts from his Telegram account in his name and asked them to send cryptocurrency,” Ganot explained. At that point, “we sent the executive a price offer and I tried to figure out with my partner how his phone had been hacked – whether it was by duplication of his SIM card or by installing a malware application onto his phone.”

While cryptocurrency-related hacks are a somewhat common occurrence, Ganot said that the fact that the hacker was able to breach the man’s Telegram accounts was somewhat unusual, not a simple task for a hacker.

That same day, Ganot said that his firm “sent a report of the case to our clients and to a few digital currency groups we are members of.”

However, by the next morning, “I was flooded with messages from people I know and from some I don’t, all with similar complaints of being hacked.”

Ganot explained that the hacker had managed to compromise the phones of approximately 20 executives of Israeli companies, all of them either CEOs or vice-CEOs who run digital currency firms. Additionally, “all of the victims were clients of [Israeli telecommunications giant] Partner,” Ganot said.

The Hacker Managed to Breach 20 CEO’s and Vice-CEO’s Telegram Accounts – Not a Simple Task

Many of the executives had their Telegram apps hacked; others had their Gmail and Yahoo mail accounts breached.

How did the hacker manage to break into the accounts? “The identity theft used the phone to conduct a user verification process with the help of SMS,” Ganot explained, referring to the SMS identity verification method that is used by countless digital services, including Telegram.

If a Telegram user has difficulty accessing their account, they can choose to receive a temporary code by SMS and use it to enter the service and replace their password. This is what the hacker was able to access.

Usually, hackers are able to access these SMS messages through duplicating unsuspecting users’ SIM cards. However, this time, the attackers seem to have hijacked the SMS messages sent by Partner, which might explain why all of the executives were Partner’s clients.

“Stealing a user’s SMS messages is not simple and isn’t supposed to be accessible to private individuals,” Ganot explained. This is why SMS verification is generally considered to be fairly secure.

The Method Behind the Madness: Hackers Seem to Have Impersonated Foreign Cellular Networks

Ultimately, Pandora’s investigation revealed that the incident was most likely an 'SMSC spoofing attack', which takes advantage of a phone’s data roaming function, Ganot said.

This kind of attack requires access to a foreign cellular network that interacts directly with Israeli cellular networks: “the hackers send a message from a foreign cell network to an Israeli one, updating the client’s location,” Ganot explained.

“For example: ‘The client has just landed in Tbilisi, he has registered with our network. Please route his SMS messages via this network.’” The plan managed to be so effective because “this is a necessary procedure for people entering a foreign country, whose cell phones are in ‘roaming’ mode.”

“It’s a rare assault,” Ganot said.

Diabolical.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}