Four suspects have been arrested in Brazil this week for hacking into over 1,000 Telegram accounts, including some owned by Brazilian government officials, such as Brazil President Jair Bolsonaro, Justice Minister Sergio Moro, and Economy Minister Paulo Guedes.
Other lower-ranking politicians such as congresswoman Joice Hasselmann, a key ally of President Bolsonaro and Minister Moro, also claimed to have been targeted earlier this week.
According to court documents, the four used a relatively unknown hacking trick to bind the victims’ Telegram accounts to their phones.
Local media reported that the hackers used access to the accounts to send spam messages with malicious links to users’ contacts. However, the group also appears to have targeted and hijacked accounts of local politicians, from where they are believed to have exfiltrated personal messages.
Investigation started after Telegram messages leaked
Brazilian authorities claim that some of the messages have made their way to journalists at The Intercept following the hacking of Justice minister Sergio Moro, who claims that it took place on 5 June.
The online news site, in partnership with other major local news outlets, started to published a series of stories four days later based around Telegram messages Moro had exchanged with Deltan Dallagnol, a prosecutor in Operation Car Wash, an ongoing criminal investigation into accusations of graft and money laundering which led to the arrest of several local high-profile businesspeople and politicians, most notably former president Luis Inácio Lula da Silva.
Seen as an anti-corruption unbiased hero by some and as an anti-leftist crusader by others, Moro’s credibility has been put in doubt as the Telegram exchanges suggest that he, while still a judge, instructed prosecutors in the Lula trial, which is against Brazilian law. The prison sentence removed Lula from last year’s presidential race, after which Bolsonaro named Moro as Justice Minister.
Moro, who is the one who set the Operation Car Wash investigation underway, claimed that the messages did not show any wrongdoing, and were just advice for the prosecutor who took over in the case.
A criminal inquiry was set into motion, either way. The four arrests announced this week are the result of the Brazilian government’s investigation into the source of those leaks.
The names of the four alleged hackers are Danilo Cristiano Marquez (33), Walter Delgatti Neto (30), Judy Gustavo Henrique Elias Santos (28), and Suelen Priscilla de Oliveira (25) — Santos’ wife.
The four were arrested on a temporary five-day warrant, but have not been officially charged. Investigators said they found around 600,000 Brazilian reals (~$160,000) in one of the hacker’s bank accounts, which the suspect couldn’t justify based on their income.
Reacting to the arrests, The Intercept’s founder Glenn Greenwald has provided Brazilian magazine Veja with an exchange with his own source, who denied having anything to do with the Telegram voicemail account hijacking incident. Greenwald told Veja the first contact with the source took place a month before Moro claimed to have been hacked.
“We are not newbie hackers, the [voicemail hack] is not consistent with our way of operating – we access Telegram with the objective of extracting conversations and do justice, bringing the truth out to people,” it added.
The voicemail account hijacking trick
While Bar-Zik showed the attack against a WhatsApp account, a year later, in 2018, security researcher Martin Vigo expanded on this technique, showing how attackers could use voicemail accounts to hijack accounts at other service providers, such as Facebook, Google, Twitter, WordPress, eBay, or PayPal. Apparently, this technique also works with Telegram accounts.
Most instant messaging (IM) services today allow users to receive one-time passcodes via SMS, but also as a voice message.
The general idea behind this trick is that users of instant messaging apps who have voicemail enabled for their phone numbers are at risk if they don’t change the voicemail account’s default password, which in most cases tends to be either 0000 or 1234.
Bar-Zik discovered that if the phone number is busy with another call, or if the user doesn’t answer his phone three times in a row, the one-time passcode delivered via voice message is eventually rerouted to the user’s voicemail account.
According to Brazilian authorities, the four hackers installed Telegram apps on their phones but entered the phone number of high-profile politicians when authenticating.
They requested voice mail messages for the authentication process while calling the targets’ phones, to ensure the one-time passcode landed in the voicemail account.
The four then used VoIP providers to mimick the target’s phone number, called the telco’s voicemail service, used a default password to access the target’s voicemail account, retrieved the one-time passcode, and bound the victim’s Telegram account to their device –hence, gaining access to the account and its message history.
This marks the first time this voicemail hijacking trick has been used against high-profile targets. The technique hasn’t been used widely used by criminal groups until now.
Amid the fallout over the leaked messages, local reports suggest President Bolsonaro is finally considering to use an encrypted mobile phone provided by the Brazilian Intelligence Agency (Abin).
So far, Bolsonaro and his ministers had been dragging their heels to do so given their intensive use of social media, which wouldn’t be possible with the Abin devices. For instant communication among the users of the devices it provides, the agency has developed the app Athena, with content protected by portable encryption platform PCPv2.
Another place where voicemail hijacking it’s been popular is in Israel, where the Israel National Cyber Security Authority sent out an alert in October 2018 about an increase in attacks leveraging this method, urging users to change voicemail account passwords, or disable voicemail for mobile phone numbers altogether.