Hackers hacked Telegram to rob crypto wallets of large businessmen

Wednesday, October 21, 2020, 9:20 GMT

The “alarm machine targeted many businessmen with influential positions in the crypto-currency industry: attackers were able to divert calls and SMS messages to another provider. In recent years, cyberattacks via the “Alarm System have become more common, but a high degree of planning is needed for their implementation.

Signalling Seven

The OKS-7 (SS7) device, which unites mobile networks around the globe, was used by unidentified cybercriminals and, with its support, obtained access to Telegram accounts and mailboxes from many big players in the cryptocurrency sector.

Signaling System or OKS-7 (Common Signaling Channel # 7), is a series of telecommunications signaling protocols that are used to configure most of the world’s telephone exchanges based on time division networks. The use of analog or digital networks for data delivery and associated control details is the basis of SS-7.

The attackers managed to intercept the two-factor authentication codes that passed through the mobile operator of the victim’s SMS device. As the Bleeping Machine content explains, criminals will intercept text messages and calls, spoofing the operator’s location of the victim-as if she had moved to roaming.

The attack took place on September 20, 2020, targeting at least 20 customers (formerly known as Orange Israel) of the cellular affiliate communications firm. Many of them are active in major crypto-currency based ventures. All signs are that the attack was carried out via SS7, according to Tzachi Ganota (Tscahi Ganot), an expert at Pandora Defense, who was involved in the investigation.

Hackers used the OKS-7 system to steal cryptocurrencies

Professionals are working

The hackers possibly infiltrated the short message service center (SMSC) of an unidentified mobile operator, according to Ganot, which sent requests to the partner network to change the location (and network) for the numbers of the victims. The appeal was for the partner to divert to a compromised mobile switching center (MCS) all calls and SMS messages intended for attack victims.

The attackers obviously had a lot of details about their victims and their phones. They knew the names and even some passwords of MSISDN (Mobile Station International Subscriber Directory Number) and IMSI (International Mobile Subscriber Identity). At the same time, their aim was entirely mundane: to get wallets with cryptocurrencies.

“SS-7 attacks require detailed knowledge of the mobile network infrastructure, how data is shared and how data is routed,” says Dmitry Kiryukhin, an information security specialist at SEC Consult Services. — They have been more frequent in recent years, but they remain the “privilege” of cybercrime practitioners so far. The thorough compilation of survivor details prior to the attacks also suggests this. Any of this data might, in theory, be used for similarly efficient, but less expensive, attacks.

Any of the mail accounts that the cybercriminals managed to hack were reserves for other mailboxes, according to Ganot, and included information more important to the business of the victims.

“In some instances, in their communications via Telegram, hackers impersonated their victims and asked their friends to convert BTC (bitcoins) to ETC (Ethereum, another cryptocurrency), etc.,” Ganot observed, adding that since this turned out to be the weakest point in the whole activity, cryptocurrency operators are well aware that there is typically little positive behind those demands.

Nobody succumbed, as far as we know, “the researcher observed.” Two-factor authentication via SMS or calls is no longer considered to be a secure method of protecting user data, according to Ganot. Like advanced applications and physical keys, there are far more accurate instruments. Many utilities, however, continue to rely on standard two-factor authentication.

Ganot also noted that telecom operators should have moved to connection protocols that are more advanced than OKS-7. This system was designed for fixed lines back in 1975 and, by necessity, does not solve many current problems. Curiously, members of the Israeli National Intelligence Service (‘Mossad’) and the state’s National Cyber Security Administration were also involved in the investigation of this incident.