Information from global users of the encrypted messenger app Telegram was purposefully directed through Iranian networks on Monday, 30 July 2018, according to several media reports.
In what appears to have been a Border Gateway Protocol (BGP) hijack of global Telegram traffic by the Iranian state’s telecommunications company – the Telecommunication Company of Iran (TCI) – all data on Telegram was routed through TCI’s networks. A BGP hijack involves an intermediary (in this case TCI) illegitimately hijacking large groups of Internet Protocol (IP) addresses to force data originally intended to be sent to the destination selected by the user to instead be sent to the BGP hijacker. The Border Gate Protocol is an essential component of the global architecture that operates the Internet since it exchanges data traffic across all the national and private networks that comprise the Internet worldwide.
TCI’s BGP hijack of global Telegram data took place one day before planned mass protests about the poor state of the economy across Iran. The Telegram app, while illegal in Iran, is nonetheless popular among Iranians because of its encryption features. Iranian government figures estimate that approximately 30 million Iranians (out of a total population of approximately 80 million) use Telegram for personal and commercial purposes, as well as for organizing political activism and protests against the theocratic regime in Tehran. There have even been reports that Telegram provides the backbone for a thriving black economy in Iran.
The Iranian Minister for Information and Communications Technology, Mohammad Javad Azari Jahromi, admitted via Twitter on 30 July that the BGP hijack of Telegram data took place and condemned the incident, writing that “in the event of an error, whether inadvertent or intentional, the Telecommunication Company of Iran will be severely penalized.” Jahromi also announced an official investigation into the incident.
The BGP hijack by TCI was also detected and monitored by Oracle’s InternetIntelligence and Cisco’s BGPMon, both of whom publicised the incident via social media.
Speaking to Cyberscoop, Alan Woodward of the University of Surrey in the UK described the Border Gateway Protocol as “the classic soft underbelly of the web.”
“At country borders it’s vulnerable when a government has control of the whole network, like some do,” added Woodward.
“By diverting traffic like this, you can obviously then try to intercept it or you can simply block it. For example, if you know the destination of data you can simply redirect it at the border of your country. It’s an effective way of stopping people in the country from using the app,” he said.
“Once a valid BGP hijack occurs, the hijacker can perform [man-in-the-middle] attacks, eavesdropping, etc.,” said Nico Waisman, a cybersecurity researcher at Cyxtera who also spoke to Cyberscoop.
Alan Woodward added that anyone “whose traffic is hijacked currently have no effective technical means to prevent such attacks.”
Despite seemingly condemning the BGP hijack of Telegram data by TCI, Iran’s ICT Minister Jahromi has been subject to calls for U.S. sanctions to be placed against him given the active role of his ministry in attempting to block the use of Telegram by Iranians. Writing recently in The Cipher Brief, Tzvi Kahm, the Senior Iran Analyst at the Washington, DC, think-tank Foundation for Defense of Democracies, wrote that the ICT Ministry and Jahromi “have escaped Washington’s attention. It’s long past time for the Trump administration to add them to the sanctions list.”