Written by Patrick Howell O'Neill

Data from the popular encrypted messenger app Telegram was hijacked by Iran’s state-owned telecommunications giant on Monday, a day before proposed protests over the country’s economic crisis.

The move looks to be a BGP hijack, a practice where an intermediary illegitimately takes over groups of IP addresses so data originally destined for one place can be forcefully sent to another.

Monday’s attacks were widely detected as they happened by Oracle’s InternetIntelligence and Cisco’s BGPMon.

Here’s Oracle’s tracking of the incident:

At 06:28 UTC earlier today (30-Jul), an Iranian state telecom network briefly leaked over 100 prefixes. Most were Iranian networks, but the leak also included 10 prefixes of popular messaging app @telegram (8 were more-specifics). pic.twitter.com/MjN2itdpTS — InternetIntelligence (@InternetIntel) July 30, 2018

BGP, or the Border Gateway Protocol, is the technology that exchanges routing data across the various networks that make up the entire global internet.

“Once a valid BGP hijack occurs, the hijacker can perform [man-in-the-middle] attacks, eavesdropping, etc.,” said Nico Waisman, a cybersecurity researcher at Cyxtera.

The protocol, a central component of the global internet, is one way individual networks communicate with one another to exchange internet traffic. It’s also considered, however, the “the classic soft underbelly of the web,” Alan Woodward, a professor at the University of Surrey, told CyberScoop. “At country borders it’s vulnerable when a government has control of the whole network, like some do.”

Woodward added that organizations “whose traffic is hijacked currently have no effective technical means to prevent such attacks.”

Iran’s minister of Information and Communications Technology confirmed the reports in a Tweet on Monday night, saying that “in the event of an error, whether inadvertent or intentional, the Telecommunication Company of Iran will be severely penalized.” An investigation is underway.

Hijacking BGP is a common tactic used by both cybercriminals and nation-states for financial gain, surveillance and censorship. It’s happened everywhere from Italy to Russia to the United States.

“By diverting traffic like this, you can obviously then try to intercept it or you can simply block it,” Woodward explained. “For example, if you know the destination of data you can simply redirect it at the border of your country. It’s an effective way of stopping people in the country from using the app.”

The tactic has become more difficult in recent years as observers are watching more closely — exactly the kind of intense attention focused on Monday’s incident.

Despite being officially banned in Iran, over 30 million Iranians continue to use Telegram using the applications Hotgram and Talagram, Iran’s Deputy Prosecutor General Abdolsamad Khorramabadi said last month.

Telegram did not respond to a request for comment.

Iranian researcher and activist Nariman Gharib told CyberScoop that Tuesday’s protests have been organized via Telegram. One example of a Telegram post for the protests, shown below, calls for people to “gather in the main squares of cities in protest against the tumultuous wave of unemployment and inflation.”

The protests have been promoted by Amadnews, an Iranian protest platform watched by millions of Iranians. It’s organized in part by Iranian opposition members living in exile since the 2009 election protests, which were organized largely on Twitter.