By attacking the SS7 protocol, hackers can intercept text messages and calls from the real recipient.
Hackers who had access to the OKS-7 (SS7) system used to set up mobile networks around the world were able to access Telegram accounts and email accounts of well-known personalities in the cryptocurrency business, according to Bleeping Computer.
The hackers tried to obtain two-factor authentication (2FA) codes through a vulnerability in the SMS messaging system of the victim’s mobile provider.
SS7 hackers can intercept the real recipient’s text messages and calls, updating the device’s location as if it were registered on a different network.
The attack took place in September and targeted at least 20 subscribers of the Israeli mobile operator Partner Communications (formerly known as Orange Israel), all of whom were involved in high-level cryptocurrency projects.
Tzachi Ganot, co-founder of Pandora Security in Tel Aviv, which investigated the incident and helped victims regain access to their accounts, told BleepingComputer that all evidence points to an SS7 attack .
Pandora Security specializes in creating secure digital environments and provides cyber technology and services to high-profile individuals such as prominent business figures and celebrities. According to Ganot, the clients include some of the richest people in the world.
Ganot reported that the hackers likely spoofed a mobile network operator’s SMS Service Center (SMSC) (we were unable to determine which one) in order to send a location update request for the Partner phone numbers they were interested in.
The update request essentially required Partner to send all voice calls and SMS messages intended for the real recipient to the fake MSC .
Image: Cellusys via BleepingComputer
Ganot says that the attackers have studied the accounts of their victims and the passwords leaked to them. They knew unique international subscriber numbers (MSISDN – International Subscriber Directory Number for mobile stations) and International Mobile Subscriber Identity (IMSI) numbers.
SS7 attacks, although more common in recent years, are not easy to carry out, as they require good knowledge of home mobile network interworking and communication routing on a global level.
In this case, the goal of the hackers was to obtain cryptocurrency. Ganot believes that some of the mailboxes compromised in this way acted as a backup method for other email accounts with more valuable information, allowing the attacker to access it.
“In some cases, hackers posed as victims by hacking their Telegram accounts and writing to some contacts asking them to exchange BTC for ETC and the like." – Tzachi Ganot
This scam is well known in the cryptocurrency community and users are generally wary of such requests. Ganot says that "as far as we know, no one fell for the bait."
While sending verification codes via SMS is not without reason considered insecure, many services, including Telegram, still rely on this practice, putting users at risk.
There are better authentication methods today than SMS or call-based authentication. Solutions include applications built specifically for this purpose, or physical keys, Ganot said. Telecommunications standards must move away from legacy protocols such as SS7 (developed in 1975) that are no longer capable of solving today’s problems.
The Israeli newspaper Haaretz published details of the attack earlier this month, claiming that the Israeli National Intelligence Agency (Mossad) and the country’s National Cybersecurity Directorate were involved in the investigation.
The publication also notes that Ganot and his partner (the founders of Pandora Security) worked for the NSO for several years .