On April 29, two Russian opposition activists reported that their Telegram messenger accounts had been hacked remotely. Georgy Alburov, a leading member of the Anti-Corruption Foundation, and Oleg Kozlovsky, the director of the Vision of Tomorrow Center in Moscow, believe unauthorized access to their accounts was obtained through tampering with the app's SMS login feature. They suspect the Russian government was involved in the hack.

У кого ночью взломали телеграм, тот я. Интересно, как это возможно? СМС с помощью МТС перехватили? pic.twitter.com/K17uMQhIe6 — Георгий Албуров (@alburov) April 29, 2016

Who had their Telegram hacked last night? Me. I wonder, how is this possible? Hijacked text messages with MTS’ assistance?

Here's what it looks like. @Telegram, can you deal with this?

What Happened Exactly?

The activists note that, according to the messages they received, the unauthorized access attempts on April 29 were made from the same IP-address in New York. Alburov also noted that the hackers used an unofficial, little-known Telegram command line client, TelegramCli, to access their accounts.

While both activists eventually received suspicious login notifications, they did not receive any notices of password changes or authentication requests, and only learned about access attempts because Telegram alerted them that a new device had accessed their accounts.

So how did the hackers gain access to Telegram?

Alburov and Kozlovsky appealed to the Telegram support service, and received a reply saying their accounts were accessed through text-based authorization, which allows users to connect new devices to Telegram accounts simply by entering a verification code received via text message. Because neither Alburov nor Kozlovsky had enabled two-step verification on their accounts, the hackers were able to gain entry.

Who Is Behind the Attack?

The question remains: How did the hackers get the text message without the account owners seeing it? Kozlovsky grilled the technical support staff at MTS, one of Russia's largest cell service providers, and discovered that text-message delivery for his SIM card was switched off for several hours during the night his Telegram account was hacked. Though an MTS spokesperson later denied any “intentional” activity aimed at disabling services, Kozlovsky believes the provider is directly implicated in the incident. The activist summarized his findings in a Facebook post attempting to recreate the events:

События развивались следующим образом:

В 2:25 ночи отдел технологической безопасности МТС отключает мне сервис доставки SMS-сообщений.

Через 15 минут, в 2:40, кто-то с Unix-консоли по IP-адресу 162.247.72.27 (это один из серверов анонимайзера Tor) отправил в Telegram запрос на авторизацию нового устройства с моим номером телефона.

Мне было отправлено SMS с кодом, которое доставлено не было (сервис для меня отключен).

В 3:08 злоумышленник вводит код авторизации и получает доступ к моему аккаунту. Telegram присылает мне автоматическое уведомление об этом (которое я прочитаю только утром).

В 3:12 аналогичным образом с того же IP-адреса (т.е. через ту же сессию Tor) взламывается аккаунт Жоры Албурова.

В 4:55 отдел технологической безопасности МТС вновь включает мне сервис доставки SMS.

Причину отключения и включения сервиса МТС мне назвать отказалось, предложив написать письменный запрос.

Here is how the events unfolded:

At 2:25am the technical security department of MTS disables the text message delivery service for my number.

15 minutes later, at 2:40am, someone uses a Unix console via the IP-address 162.247.72.27 (this is a Tor anonymizer exit node) to send Telegram a request to authorize a new device to work with my phone number.

I was then sent a text message with the code, which was not delivered (since the service was disabled for me).

At 3:08am the hacker enters the new authorization code and gains access to my account. Telegram sends me an automatic notification of this (which I will only see in the morning).

At 3:12am Zhora Alburov's account is hacked in a similar fashion from the same IP-address (and through the same Tor session).

At 4:55am the MTS technical security department reactivates the text-message delivery service for my number.

MTS refused to name the cause of disabling and reactivating the service to me, and suggested I send a written request for information.

What remains unclear is how the hackers were able to intercept the text message containing the new authorization code. According to Vladislav Zdolnikov, a technology expert working with the Anti-Corruption Foundation, the attack could have been orchestrated by Russia's State Security Service (FSB) together with MTS, to gain access to the activists’ conversation logs. Zdolnikov speculates that the text message could have been intercepted using a SIM-card clone or directly at the SMS gateway belonging to MTS, as part of the company's collaboration with the authorities through the SORM system.

Нет никаких сомнений, что эта целая спецоперация была организована и частично выполнена именно ФСБ. Ни у какой больше организации нет возможности ночью отключать и включать услугу SMS через отдел технической безопасности федерального оператора связи.

There are no doubts that this whole special operation was organized and partially executed by FSB. No other organization has the capability to disable text messages at night through the technical security department of a federal communication operator.

SORM, which stands for “System for Operative Investigative Activities,” is Russia’s comprehensive communications surveillance system that has been in place since 1996 to enable wiretaps of telephone connections. Over the years, it has evolved to allow broader access to electronic communications, including the installations of black boxes with Russian ISPs to gain access to Internet traffic.

Earlier in April, several Russian journalists, including Roman Shleynov who worked with OCCRP on the Panama Papers investigation, and Oleg Kashin, said they received security warnings from Google about possible state-sanctioned attempts to hijack their email accounts. In September 2015, an editor and a journalist at the newspaper Novaya Gazeta reported that their email inboxes had been hacked by persons who obtained unauthorized duplicates of their SIM-cards from cell service providers.

How Can Telegram Users Protect Themselves?

Responding to the news of the hack, Bellingcat contributor Frederick Jacobs drew attention to similar cases of exploiting the SMS login feature to attack Telegram accounts in Iran earlier this year, and critiqued the safety implications of text message logins.

SMS are trivial to intercept for your telecom provider. And in almost all countries, they are actively cooperating with the state to help intercept text messages and phone calls. […]

If a single SMS enables you to get access to a user’s account and data, you designed your system with a backdoor that any serious adversary can exploit.

Telegram's founder Pavel Durov reacted to the news by calling on the app's users in “troubled countries” to use two-step verification as a precaution.

Users from troubled countries: make sure you have 2-step verification enabled – in Telegram and other services https://t.co/w81h4PjFv4 — Pavel Durov (@durov) April 29, 2016

Jacobs, however, believes that users in repressive environments should be even more cautious and would do well “always to use end-to-end encryption” and “verify fingerprints for important communications,” to avoid the dangers of engaging with spoofed accounts.