Telegram as a command and control weapon: FBI alert reveals Iranian cyber attacks and messaging risk

The recent FBI alert on the use of Telegram as a command and control infrastructure by Iranian actors again shows something that cyber security experts have been warning for years: messaging platforms, designed for daily communication, can also become a channel for complex offensive operations. In its public notice, the agency points out that campaigns targeting critical journalists with the Iranian government, dissidents and other opposition groups have used links and malicious files to strain malware on Windows teams and, from there, extract pantings, documents and other valuable information.

It's not just simple phishing: it's masked intelligence collection.. According to the FBI, the intrusions not only sought the interruption; they sought to accumulate data that were then filtered or used to damage the victims' reputation. In many cases the attackers combined social engineering with tools that allow to remotely control the engaged teams, a technique that makes the victim barely notice the presence of the opponent until it is too late. The FBI technical statement, published in its IC3 newsletter, provides details on the commitment indicators and risk mitigation recommendations: see FBI IC3 PDF.

The FBI report links these campaigns to groups with Iranian affinity, including the hacktivist group known as Handala and a state-backed group referred to as Homeland Justice. In addition, researchers mention a separate actor named Karma Below, all related to data exfiltration and website publications that served as public mailboxes for stolen documents. In response to these operations, the United States authorities recently confiscated several domains used by these groups, temporarily blocking one of the channels they used to disseminate stolen material.

One case that illustrates the extent to which these campaigns can damage critical infrastructure is the incident against the multinational medical sector Stryker. In that intrusion, the attackers obtained administrative privileges in a Windows domain and launched a remote order to delete or restore several devices managed through Microsoft Intune. The result was the massive loss of data in the company's equipment and of workers whose management was in the corporate system. To better understand Intune's ability to perform remote erasures (a legitimate functionality that attackers can abuse if they get credentials with privileges), Microsoft documents how the action of "wipe" works on its portal: more information about remote deletion in Intune.

Another area of concern is the reuse of messaging platforms not only as a passive vector (links or files), but as an active command and control infrastructure. Telegram, for its nature of channels and bots, offers mechanisms that adversaries can use to send instructions to malware or receive exfiltered data without going through their own servers of difficult traceability. This complicates detection, because traffic to Telegram may seem legitimate and encrypted, and many organizations allow the use of these applications for work or personal reasons.

In parallel to Iranian activity, authorities have also warned about campaigns orchestrated by Russian intelligence-related actors targeting message users such as Signal and WhatsApp. Such attacks are often based on phishing techniques designed to kidnap accounts by obtaining verification codes or deception for the victim to provide access. National certificates and European agencies have published notices describing similar schemes, confirming that the risk extends beyond a single platform or geography; an example of an alert issued by French authorities can be found here: CERT-FR notice on campaigns against messaging.

What can a person or a work team do to reduce risk? First, assume that messaging platforms are a legitimate vector: distrust of unexpected links or files, even if they come from known contacts whose account may be compromised. Second, protect accounts with robust multifactor authentication and avoid receiving SMS access codes where possible, as this channel is susceptible to kidnapping. Third, apply the principle of less privilege in system management: not all users should have rights to create administrators or launch remote erasing actions. In addition, maintaining up-to-date systems and applications reduces the area of exploitation that attackers seek to take advantage of.

For organizations, it is key to implement the detection of abnormal behaviors (for example, unusual traffic to messaging services from servers that should never access them) and to review policies for the use of personal applications in corporate equipment. Verified and isolated backups are another essential component: if an opponent succeeds in deleting devices or encryption data, a reliable recovery limits the operational and reputational impact.

The picture drawing these alerts is that of a war of information where the exchange of messages and the authenticity of accounts are weapons and objectives. Convergence between social engineering techniques, abuse of legitimate services and geopolitical operations means that such threats do not decrease with a single patch. Instead, it requires a combination of individual digital hygiene, technical controls and international cooperation between companies and authorities to identify, block and dismantle the infrastructure used by the attackers.

The final recommendation is to be kept informed from official and specialized sources and to act with caution: to consult the FBI technical report on these campaigns can help security teams and users to recognize commitment indicators and take concrete action before exposure results in data loss or reputational damage. For those who want to deepen technical details and recommendations, the FBI IC3 newsletter and the alerts of national response teams are good starting points: IC3 / FBI and CERT-FR.