Hackers with access to the Signaling System 7 (SS7) used for connecting mobile networks across the world were able to gain access to Telegram messenger and email data of high-profile individuals in the cryptocurrency business.
In what is believed to be a targeted attack, the hackers were after two-factor authentication (2FA) login codes delivered over the short messaging system of the victim’s mobile phone provider.
Hackers pulling an SS7 attack can intercept text messages and calls of a legitimate recipient by updating the location of their device as if it registered to a different network (roaming scenario).
The attack occurred in September and targeted at least 20 subscribers of the Partner Communications Company (formerly known as Orange Israel), all of them involved at a higher level in cryptocurrency projects.
Tsachi Ganot, the co-founder of Pandora Security in Tel-Aviv, who investigated the incident and assisted victims with regaining access to their accounts, told BleepingComputer that all clues point to an SS7 attack.
Pandora Security specializes in building secure digital environments and provides cyber technology and services for high-profile individuals such as prominent business figures and celebrities. According to Ganot, customers include some of the wealthiest people in the world.
Ganot told us that the hackers likely spoofed the short message service center (SMSC) of a mobile network operator (unidentified at the time of writing) to send an update location request for the targeted phone numbers to Partner (other providers may still be vulnerable to this type of attack).
The update request essentially asked Partner to send to the fake MSC all the voice calls and SMS messages intended for the victims.
Ganot says that the attackers had good knowledge about their victims’ various accounts and leaked passwords. They knew unique international subscriber numbers (MSISDN – Mobile Station International Subscriber Directory Number) and International Mobile Subscriber Identity (IMSI) numbers.
SS7 attacks, while more frequent in the past years, are not easy to pull and require good knowledge of home mobile networks interact and route communication at a global level.
In this case, the goal of the hackers was to obtain cryptocurrency. Ganot believes that some of the inboxes compromised this way acted as a backup method for other email accounts with richer data, allowing the threat actor to achieve their goal.
“In some cases, the hackers posed as the victims in their [Telegram] IM accounts and wrote to some of their acquaintances, asking to exchange BTC for ETC and the like” – Tsachi Ganot
This method is well known in the cryptocurrency community, and users are typically wary about such requests. Ganot says that “as far as we’re aware no one fell for the bait.”
Although sending verification codes over SMS is widely regarded as insecure in the infosec community, and for good reason, many services still rely on this practice, putting users at risk.
Better authentication methods exist today than SMS or call-based 2FA authentication. Apps specifically created for this purpose or physical keys are among the solutions, Ganot says, also adding that telecom standards need move away from legacy protocols like SS7 (developed in 1975), which cannot address modern issues.
Israeli newspaper Haaretz published details about this attack earlier this month, saying that Israel’s national intelligence agency (Mossad) and the country’s National Cyber Security Authority were involved in the investigation.
The publication also notes that Ganot and his partner (founders of Pandora Security) worked for the NSO for a few years.