Why and how to perform Telegram monitoring to protect your business

For threat actors, the Telegram app, which emphasizes user privacy, has become a favored hangout. As Dark Reading notes, “The cybercrime ecosystem now not only includes private communications platforms like I2P and Tor but also reaches across clear websites and Telegram channels.” Likewise, the U.S. Cybersecurity Magazine calls Telegram “a thriving hub of criminal activity.”

For this reason, monitoring Telegram is a great way for organizations to determine what threat actors are doing, and whether they are discussing breaches that involve a particular company.

Telegram monitoring, however, is not as simple as logging on and asking the bad guys what they’re up to. It’s a complex process that requires careful selection of which channels to monitor, as well as an effective strategy for engaging with threat actors.

At Cyberint, where gathering threat intelligence from across a range of social media platforms and other sources is what we do all day long, we know a thing or two about how to monitor Telegram effectively. This article explains our approach and the role Telegram monitoring plays in our overall threat intelligence strategy.

Can Telegram be monitored?

Given that Telegram is designed to facilitate private conversation, you might think that third parties can’t monitor it at all. With the right approach, however, Telegram monitoring is eminently possible.

In some cases it’s as easy as simply logging into the app and eavesdrop on threat actor conversations.  For instance, many groups leave their ‘official’ Telegram groups open to the public, as for them, it’s a marketing tool. In some cases it is much more difficult however as the group admin changes the settings to private or threat actors communicate through private channels. 

There is no monitoring feature built into Telegram – and if there were, you can bet that attackers would flee the app in droves. But there are however ways to scrape and scan Telegram through external providers to monitor for brand mentions etc.

In addition, you can pose as a threat actor yourself, and use this fake identity to interact with actual threat actors who use the app. That, in essence, is the basis for our Telegram monitoring strategy at Cyberint. 

How to monitor Telegram

But again, carrying out Telegram monitoring is harder than merely loading the app and starting conversations with attackers.

Step 1: Find relevant Telegram channels

First, you need to identify Telegram channels where attackers are active. This can be challenging not only because these channels are rarely labeled in ways that make their purpose obvious, but also because in many cases, channels that purport to be hangouts for threat actors are actually not legitimate.

For example, we recently wanted to perform threat intelligence on a threat actor known as IntelBroker, which has carried out significant attacks. When we searched for IntelBroker on Telegram, we found about eight channels claiming to be associated with accounts linked to the IntelBroker group. Upon further investigation, the infamous Baphomet, had posted a warning saying that all of the IntelBroker channels were scams. None of them were linked to the actual IntelBroker threat actor.

The point here is much of what you see on Telegram is not what it seems. Careful analysis is important before jumping into discussions. Otherwise, you might end up engaging with people who claim to be the threat actors you’re researching, but who turn out to be there to mislead you.

To help sort the real from the fake when selecting Telegram channels, we look at links between channels and other Dark Web resources, as well as links between Telegram channels. Based on what we already know about a threat actor, such as the names of hacking services that a group offers, we can extrapolate to identify where that group is active on Telegram.

Step 2: Validate threat actors

Assessing whether a Telegram channel is actually used by threat actors is only the first step in the process. You must also determine whether the accounts active on the channel are truly owned by the threat actors you’re researching.

After all, anyone can claim to be anyone on Telegram, and there’s no way within the app to verify a user’s identity. Instead, we leverage tactics like the following to assess whether someone is whom they claim to be:

• Looking at what other Telegram users are saying about a given person, and whether other folks are vouching that their identity is real.
• Assessing which products or services the account offers and consider whether they align with what we know about the threat actor’s activity.
• Evaluating the type of language the person uses. Most threat actors love Internet slang and memes, so looking at the jargon they employ helps us validate whether they’re real threat actors.
• Making time-sensitive requests, which actual threat actors are more likely to respond to quickly. Threat actors love using time pressure themselves, and we deploy this tactic back at them.

Step 3: Engage the threat actors

Once we’ve validated a threat actor’s identity, we can begin actively engaging with them to collect insights about what they’re up to.

To do this effectively, we need to convince the threat actor that they can trust us. Using the same type of Internet slang is one way to do this because it makes threat actors believe we’re “one of them.”

Claiming to be associated with a larger threat actor entity can help us appear legitimate on Telegram, too. It builds respect in the eyes of attackers, especially if the entity is famous.

The more rapport we can build with threat actors, the more information they typically hand over to us.

Telegram monitoring: A case study

To explain what Telegram monitoring for threat intelligence purposes looks like in practice, here’s a story about a recent operation we performed to protect one of our clients.

We identified a threat that affected one of the client’s websites in the form of a tool designed to bypass security controls. However, by tracking down and engaging with the threat actor who built the tool on Telegram, we were able to determine that as long as two-factor authentication was in place, the tool would not work. With this information, we were able to tell our client that the threat did not actually pose a serious risk, since it already had two-factor authentication activated for most of its accounts (it didn’t have that type of protection for some legacy accounts, which were upgraded in response to the threat).

In this case, Telegram monitoring allowed us to provide actionable guidance about how to respond to a threat. If we hadn’t been able to get this information out of the threat actor, the client would have had to wait and see how the attackers attempted to act and how much damage they could cause before devising a mitigation strategy.

What do threat actors do on Telegram?

Based on our extensive experience monitoring Telegram, we find that the most common types of risks and insights that threat intelligence teams can research through Telegram monitoring include:

• The sale of malware or malware-as-a-service that threat actors offer to people who want to attack an organization or create botnets.
• The sale of various other kinds of hacking tools, such as credential stuffing software. Typically, threat actors sell these solutions to other threat actors, who want to use them to help execute their own attacks.
• Fraud services. These don’t depend on infecting IT systems; instead, they take the form of “classic” fraud, such as selling stolen credit card numbers or purchasing items for people using credit cards that threat actors stole from other people.

Monitoring Telegram with Cyberint

Telegram monitoring can result in a trove of information – including not just insight about which types of attacks threat actors might be planning, but also technical details about how their tools work and how to protect against them.

But given the complexity of successfully finding and engaging with threat actors on Telegram, Telegram monitoring is challenging for most organizations to carry out on their own.

By partnering with Cyberint, however, Telegram monitoring becomes easy. Cyberint delivers insights gleaned from Telegram as well as a host of other platforms as part of our comprehensive threat intelligence services. To learn more, request a demo.