Ukraine Warns Of Hackers Targeting Telegram Accounts With 'Russian Hosts' In New Cyber Attack

Ukraine has warned of a new cyber attack in which hackers are reportedly attempting to gain access to users' Telegram accounts.

The country's technical security and intelligence service said in a statement Tuesday cyber fighters have blocked the hosting, where the attacks were done, "but the attackers are 'moving on' to Russian hosts."

"The criminals sent messages with malicious links to the Telegram website in order to gain unauthorized access to the records, including the possibility to transfer a one-time code from SMS," the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said in an alert.

It is believed a threat cluster called "UAC-0094" is likely behind the malicious attacks, the Hacker News reported. However, International Business Times could not confirm this.

Several Telegram users complained of receiving a login alert from a new device. The message urged users to confirm their accounts by clicking on a link. However, it was found the URL sent in the message was a phishing domain.

After clicking the URL, the users were asked to enter their phone numbers as well as the one-time passwords (OTP) sent via SMS. Authorities said the OTP would further help the hackers gain access to the user's Telegram account.

"Ukrainian CyberFighters have blocked the hosting where the attacks were conducted, but the attackers are 'moving on' to Russian hosts," the statement read. "Be careful and do not follow suspicious links. Also, you need to set an additional password for double authentication in Telegram (together with the code you receive in SMS)."

"It is additionally necessary to end all sessions in Telegram settings, except the in-progress one," authorities in Ukraine suggested in the statement.

Telegram is the most popular messaging service in Ukraine. The WhatsApp-like messaging service is co-founded by exiled Russian billionaire brothers Pavel and Nikolai Durov. The app service saw a boom following Russia's invasion of Ukraine on Feb. 24.

The latest incident comes weeks after some hackers took advantage of the Ukraine crisis, and tried to attack an unnamed European government entity. In early March, researchers at U.S.-based cybersecurity company Proofpoint confirmed the incident, saying that the emails targeted “European government personnel involved in managing the logistics of refugees fleeing Ukraine,” Forbes reported at the time.

The emails came with the subject, "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022."

Following this, proofpoint researchers wrote in the blog published on March 2: “There was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe. This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies and people within NATO member countries.

“The possibility of exploiting intelligence around refugee movements in Europe for disinformation purposes is a proven part of Russian and Belarusian state techniques.”