Telegram and Russia's FSB: An Uncomfortable Relationship
Jeff Phillips, Code Siren, LLC
25 October 2023 - Industry
Introduction
Telegram is the world's fourth largest instant messaging and VoIP app (after WhatsApp, WeChat, and Facebook Messenger), with over 1.068 billion users. The app grows by 1.5 million users daily and boasts 700 million monthly active users with approximately 196 million daily active users. [1] Some have called Telegram the "world's most important app" [2], and Telegram touts itself as a "privacy-oriented platform". [3] Nevertheless, in this Code Siren, LLC article, we will demonstrate that a Faustian bargain ostensibly compromises Telegram with Russia's Federal Security Service (the "FSB"), and your private encryption keys [4] are now accessible [5] by the Kremlin. [6]
Background
Pavel Durov and his younger brother, Nikolai, were born in St. Petersburg, Russia (at the time, known as Leningrad, USSR). Both brothers are extremely intelligent, both talented programmers and entrepreneurs. Nikolai's mathematical achievements earned him gold for three years at the International Mathematical Olympiad. [7] Pavel and his brother attended St. Petersburg State University, "where [Pavel] successfully mastered linguistics" [8] and propaganda [9] and where Nikolai studied mathematics and computer science before earning his first Ph.D. in Arakelov geometry. [10] Nikolai earned a second Ph.D. from the University of Bonn.
In 2002, Pavel Durov created a website called Durov.com, a collection of student essays and other academic work. The website quickly became well-liked among his university colleagues. In 2004, Pavel Durov created another website called SPbgu.ru, a social networking site for Saint Petersburg State University students. The website was very popular and had over 100,000 users by 2006.
The VKontakte Era
In 2006, Pavel and Nikolai Durov founded VKontakte ("VK"), a social networking site in Russia. Within three years, VKontakte quickly became Russia's most popular social networking site, with over 140 million users by 2012. [11]
VK went on to become the most frequented communication platform in Russia. [12] At the height of their VK success, the Durov Brothers offered Edward Snowden a job in St. Petersburg. [13] However, the rising popularity of VK gained the attention of Vladimir Putin and the Kremlin. Putin saw VK as a potential threat to his control of information and public opinion in Russia. The Russian government began to pressure VK, objecting to comments and demanding censorship of the forums.
In 2013, Pavel Durov began an escalating clash with the Kremlin. After ignoring various government demands, on April 5, the FSB sent a team of 20 officers to raid VK's headquarters. The heavy-handed treatment involved investigating a supposed hit-and-run traffic incident involving Durov's Mercedes and a St. Petersburg policeman. The incident was seen by many as an attempt by the Kremlin to intimidate and silence Pavel. [14] Shortly after this incident, a hostile takeover of VK ensued by Putin-backed businessman Ilya Sherbovich. During the takeover and amidst allegations of a larger campaign against the Durov brothers, Nikolai and Pavel went into hiding. [15]
In April 2014, stating that the government had taken over VK [16], after receiving significant pressure from the Kremlin, the Durov brothers sold their remaining stake in VK and left Russia. [17] In December 2014, Gazprom acquired a majority stake in VK to "boost the Kremlin's control" over the social network. [18]
According to SimilarWeb, VK.com is now the 20th most visited website globally and Russia's fourth most visited website. [19]
The Age of Telegram
Telegram was first launched for iOS on August 14, 2013, and Android on October 20, 2013 [20]. The company was founded as Telegram Messenger Inc. and continues to operate under this name. [21] Ironically, the idea for Telegram was inspired by an FSB SWAT team showing up at the Durov's flat in St. Petersburg in 2013, and Pavel had no way to contact his brother during the siege. [22]
Telegram is globally accessible with a freemium, cloud-based, and centralized business model. The servers of Telegram are distributed with five data centers in different parts of the world to provide load-balanced service and redundancy. In contrast, the operational center is based in Dubai, United Arab Emirates. Various client apps are available for smart TV, desktop, and mobile platforms, including official Android, iOS, Windows, macOS, and Linux apps.
Telegram generates revenue by selling sponsored messages and providing Telegram Premium subscriptions for individuals and large channel-based communities. Telegram also sells an enterprise solution called Supergroups and an authentication product named Telegram Passports. Telegram also provides optional end-to-end encrypted chats (so-called "secret chats") and video calling, VoIP, file sharing, and other features. Telegram's service is synonymous with low-quality VoIP. [23]
Telegram Technology Stack
Telegram is a cloud-based instant messaging service known for its speed, features, and relaxed security. The app bills itself as end-to-end encryption, but only messages utilizing the "Secrets Chats" function are encrypted. [24] Telegram maintains seven client app releases for smartphones, tablets, computers, and web browsers.
Telegram's technology stack is based on open-source and proprietary software. The client apps are written in Objective-C and Swift for iOS, Java for Android, and C++ for the desktop versions. The server-side components are written in C++ and Go.
Telegram's distributed architecture with multiple data centers located worldwide improves reliability and minimizes service disruptions, but it also creates security risks for each data center. Telegram's use of a peer-to-peer network to deliver messages reduces server load and improves performance, but it also increases the number of potential attack vectors.
One of the key features of Telegram is its support for end-to-end encryption, but this only applies to "Secret Chats". [25] For "Secret Chats," Telegram uses the MTProto 2.0 encryption protocol based on the Diffie-Hellman key exchange algorithm and the AES-256 encryption algorithm. This encryption scheme is not considered a post-quantum safe architecture. It is rumored that all Telegram messages are stored in plaintext on their servers (excluding "Secret Chats"). [26]
Telegram Vulnerabilities
Telegram's encryption has been compromised in the past. In 2021, researchers from ETH Zurich and Royal Holloway, University of London, identified four cryptographic vulnerabilities in Telegram. These weaknesses could allow an attacker to manipulate the sequencing of messages or even recover some plaintext from encrypted messages. [27]
Telegram has since patched the four subject vulnerabilities, but the incident highlights the importance of choosing messaging apps with well-scrutinized and publicly auditable encryption protocols.
A security researcher from Shielder discovered a series of vulnerabilities within Telegram that could let attackers send modified animated stickers, which could have exposed the victims' data along with 13 vulnerabilities in total: one heap out-of-bounds write, one stack out-of-bounds write, one stack out-of-bounds read, two heap out-of-bound read, one integer overflow leading to heap out-of-bounds read, two type confusions, five denial-of-service (null-PTR dereferences). [28] Telegram has since patched the 13 vulnerabilities.
Telegram also had its share of spoofing attacks. For example, Brazilian hackers took control of Telegram accounts by spoofing victims' voicemails. The attackers would first figure to use an app called BRVoz to spoof someone's voicemail, which is possible due to weak Telegram's voicemail security. Once the attackers accessed the victim's voicemail, they simply needed to receive Telegram's confirmation code via voicemail. Telegram would send the code to the victim's voicemail if the phone were offline at a single moment. This hack forced Puerto Rico Governor Ricardo Roselló to resign after his Telegram account was exposed, and a corruption scandal related to Federal funds for hurricane relief and messages with profanity were released to the public. [29]
A series of Tweets from Moxie Marlinspike, the co-founder of competitor Signal, has raised many concerns about
Telegram's lack of security. Starting on December 23, 2021, Marlinspike posted, "It's amazing to me that after all this time, almost all media coverage of Telegram still refers to it as an 'encrypted messenger.' Telegram has a lot of compelling features, but in terms of privacy and data collection, there is no worse choice." [30]
Moxie later tweeted, "Telegram stores all your contacts, groups, media, and every message you've ever sent or received in plaintext on their servers. The app on your phone is just a "view" onto their servers, where the data actually lives. Almost everything you see in the app, Telegram also sees." [31]
On February 24, 2022, Marlinspike continued his previous posts with, "Telegram is the most popular messenger in urban Ukraine. After a decade of misleading marketing and press, most ppl there believe it's an ‘encrypted app’[.]” The reality is the opposite--TG is by default a cloud database w/ a plaintext copy of every msg everyone has ever sent/recvd." [32]
According to Searchlight Security CTO and Co-Founder Dr. Gareth Owenson, "Telegram has a reputation as a secure messaging app, but this is largely due to the feature set it offers rather than the strong encryption. Research by Royal Holloway recently found vulnerabilities in the cryptography used by Telegram." [33]
Roskomnadzor v. Telegram
The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, or Roskomnadzor (RKN), is the Russian federal executive agency responsible for monitoring, controlling, and censoring Russian mass media.
Roskomnadzor v. Telegram was a landmark court case in 2018 between the Russian government and the messaging app. The litigation centered on the Russian intelligence agency FSB's 2017 demand that Telegram hand over its private encryption keys. This access would have allowed the FSB to decrypt users' messages and monitor their communications. Telegram refused to comply, arguing that doing so would violate user privacy and was technically impossible due to Telegram's encryption architecture.
The case primarily revolved around Article 10.1 of Federal Law 149-FZ, passed in 2006, often called the "Law on Information, Information Technologies, and Information Protection," and 349-FZ, referred to as the "Yarovaya Law," passed in 2016. These laws and subsequent amendments grant authorities the legal basis to access encryption keys. [34]
The case was widely seen as a test of the Russian government's commitment to online freedom of expression. On April 13, 2018, the Tagansky District Court in Moscow ruled in favor of Roskomnadzor and ordered Telegram to be blocked in Russia.
Telegram appealed the decision, but the Supreme Court of Russia upheld the block on June 20, 2018., leading to nationwide restrictions on Telegram's services.
Despite the court order, Telegram remained accessible in Russia until May 2020, when Roskomnadzor began to block the app's IP addresses. Nevertheless, on June 22, 2020, Roskomnadzor suddenly announced it had reached an agreement with Pavel Durov and unblocked Telegram's IP addresses after "the decision was taken in light of the readiness voiced by Pavel Durov… to cooperate." [35]
Telegram's Failed ICO and Subsequent Bond Offering
In January 2018, Telegram attempted to raise a $1.2 billion ICO. The US-focused financing was to raise capital for its blockchain and payment blockchain project, the Telegram Open Network (TON). In 2020, the US Securities and Exchange Commission sued Telegram over a massive initial coin offering. As a result of the lawsuit, Telegram agreed to return more than $1.2 billion to investors and pay an $18.5 million civil penalty. [36]
The return of $1.2 billion required rapid financing and at least a $1 billion minimum raise. [37] VTB Capital, the investment banking arm of Russia's second-largest bank, stepped up to represent Telegram in the capital markets. [38] VTB, the state-controlled institution, was the lead arranger in the bond offering, providing Telegram with the necessary investors in their order book to refund TON investors. [39] Russia's Direct Investment Fund (RDIF) participated in the transaction. [40] VTB, arguably controlled by the Kremlin, provided an astronomical $124 billion pre-money valuation constructed on a highly speculative approach using Enterprise Value/Daily Active Users.
Mubadala, a UAE sovereign wealth fund, and their sub-fund Abu Dhabi Catalyst Partners purchased $150 million in bonds [41] on March 23, 2021. Putin's allies and oligarchs, Roman Abramovich and former Russian government member Mikhail Abyzov, also provided capital. [42] The next day, on March 24, 2021, Mubadala announced it purchased a portion of the bonds on behalf of the RDIF. [43]
Three months after the close of financing, Mr. Putin proudly announced on Russian-1 Television's Direct Line, an annual marathon Q&A call-in show, "We reached an agreement with Telegram. It is operational, and everything is fine." [44] This comment was largely interpreted as a signal that Vladimir Putin and Pavel Durov had come to terms.
Hot Tip: It Is Unhealthy to Criticize President Vladimir Putin and the Kremlin
It has become quite unwise to criticize President Vladimir Putin in recent years. The Russian government has cracked down on dissent, and criticizing the government, including Putin and the Kremlin, can have serious consequences.
Since 2000, there has been a series of mysterious deaths among the Russian elite, journalists, dissidents, and vocal critics, which some experts believe could be linked to President Vladimir Putin. Since the launch of Russia's war in Ukraine, 39 high-profile figures have died under suspicious circumstances. These include sudden "suicides" and falls from windows. [45]
According to the Committee to Protect Journalists (CPJ), 43 journalists and media workers have been killed in Russia since Vladimir Putin came to power in 2000. Of those, 15 were murdered in direct retaliation for their work. The CPJ also reports that 26 dissidents have been killed in Russia during the same period. However, it is difficult to say definitively how many of these deaths were directly related to their political activities. [46] Many of these deaths are ruled as "suicide" and quickly brushed over by the Russian authorities.
In 2022, Russia passed a law that makes it illegal to spread "fake news" about the Russian military, which can include criticizing the war in Ukraine. This law has been used to arrest and imprison journalists and activists. The Russian government has also used other laws to suppress dissent, such as laws against extremism and hate speech. These laws have been used to target people who criticize the government, even if their criticism is peaceful.
The Kremlin Has Entered the Chat
In June 2022, the North Atlantic Treaty Organization (NATO) warned about the security of the messaging app Telegram. NATO expressed concerns that Russia could use Telegram to spread disinformation and propaganda and that the app could be vulnerable to hacking.
Janis Sarts, the Director of NATO's Strategic Communications Center of Excellence, said, "NATO is aware of the potential risks associated with the use of Telegram." Mr. Sarts also said, "I do have reasons to believe that there is not full integrity... Certainly, I would not see [Telegram] as a secure platform,' and later stated, "I don't think it's fully safe," and "NATO members should take appropriate steps to protect their classified information and communications." [47]
According to WIRED's April 27, 2023 article entitled "The Kremlin Has Entered Your Telegram Chat," there have been many incidents where FSB officers have had access to user's chats:
"Over the past year, numerous dissidents across Russia have found their Telegram accounts seemingly monitored or compromised. Hundreds have had their Telegram activity wielded against them in criminal cases. Perhaps most
disturbingly, some activists have found their "secret chats" --Telegram's purportedly ironclad, end-to-end encrypted feature—behaving strangely in ways that suggest an unwelcome third party might be eavesdropping. These cases have set off a swirl of conspiracy theories, paranoia, and speculation among dissidents, whose trust in Telegram has plummeted. In many cases, it's impossible to tell what's really happening to people's accounts—whether spyware or Kremlin informants have been used to break in, through no particular fault of the company; whether Telegram is really cooperating with Moscow; or whether it's such an inherently unsafe platform that the latter is merely what appears to be going on." [48]
One of the main concerns is that Telegram cooperates with the FSB. In 2018, Telegram was banned in Russia for refusing to hand over its encryption keys to the FSB. The ban was lifted in 2020 after Telegram agreed to "help with extremism investigations." However, it is unclear what this cooperation entails, and there is concern that the FSB may have access to Telegram user data.
Another concern is that Telegram has servers in Russia. This complication implies that Russian authorities could seize or hack these servers and gain access to user data. In addition to these concerns, Telegram has become the main source of information for over 50% of Ukraine's population. This uneasiness is even though Telegram is closely linked to Russia, and there is a high probability that Russian special services have access to user correspondence. [49]
In February 2022, a group of Russian hackers allegedly working for the Russian FSB and involved in the hack of the US Democratic Party, were convicted and sentenced 21 members of the hacker group known as Lurk to prison terms of five and 14 years. One suspect remains at large. This trial occurred in the Kirov District Court in the Urals, City of Yekaterinburg.
The group's leader, Konstantin Kozlovsky, received the longest sentence of 14 years after being found guilty of organizing a criminal community, fraud, and illegal access to online data. Investigators say the group used a computer virus also known as Lurk to steal about $15.6 million from Russian banks and financial institutions in 2015. The probe against the group was launched in 2016 after investigators said the hackers tried to steal a large amount of money from Concord Catering, a company owned by Kremlin-linked businessman Yevgeny Prigozhin. Some of the evidence was gathered from Telegram chats.
During the investigation, Kozlovsky claimed he was recruited by the FSB in 2008 and carried out many online hacking activities on the FSB's instructions. Among such activities, Kozlovsky cited hacking servers of the US Democratic National Committee, the personal email account of presidential candidate Hillary Clinton, and other organizations and military entities in the United States.
In March 2023, Russia's Rostec has reportedly bought a platform called "Okhotnik" (Охотник), which translates to "hunter." Rostec is a state-owned tech and defense systems corporation known for its relationship with the FSB and the potential use of this technology to suppress dissent and freedom of expression. This platform allegedly allows Rostec to uncover the identities of anonymous Telegram users. Okhotnik uses over 700 data points to make associations and correlations that can lead to unmasking anonymous Telegram users.
These data points may include: (i) Device information, such as IP address, operating system, and browser type; (ii) Account information, such as phone number, email address, and username; (iii) Contact list; (iv) Chat history; (v) Location data; and (vi) "Social media activity."
Rostec reportedly plans to sell Okhotnik to all Russian Ministry of Internal Affairs departments and operational and technical units of the country's FSB within 2023. [50]
A former FSB agent, Mikhail Polyakov, is accused of running a Telegram channel that extorted prominent Russian politicians and businessmen. The channel, known as the "Kremlin Laundress," published compromising photos and
information about its targets and threatened to release more if they did not pay up.
In April 2023, an FSB Officer, Mikhail Polyakov, was arrested by Russian authorities in April 2023. Polyakov is currently held in custody and faces charges of extortion and abuse of power. On a related note, the Kremlin Laundress channel was taken down by Telegram in March 2023. However, it is unclear whether Polyakov is the only person behind the channel or if there are other accomplices. The article concludes by stating that the case of the Kremlin Laundress is a reminder of the widespread corruption and abuse of power in Russia. The arrest allegations against Mikhail Polyakov point to evidence that he used Telegram as an FSB to access confidential information to extort people. Another point of proof of the FSB's troublesome access to Telegram's messages. [51]
In July 2023, the head of Ukrainian Intelligence, Kyrylo Budanov, claimed Russian FSB has the encryption keys to Telegram and Viber messaging apps and is using them for espionage. Mr. Budanov is quoted as saying, "The FSB, and only them, have the keys to Telegram, and [it] is an application created for espionage." [52]
Although this claim has not been independently verified, the FSB has denied it. However, it is known that the Russian government has been pressuring Telegram to hand over their encryption keys for some time now. In 2018, a Russian court ordered Telegram to do so, but the company refused. However, Telegram reversed their decision sometime in 2020 to 2021.
If the FSB does have access to the encryption keys for Telegram, it would mean that the FSB could potentially read all of the messages sent on these apps, even if they are encrypted. This access would give the FSB a powerful tool for surveillance and espionage.
Conclusion
The Kremlin had repeatedly tried to shut down Telegram before 2020. Durov had resisted these efforts for several years. Still, in June 2020, he reached a settlement with the US Securities and Exchange Commission (SEC) that required him to return $1.2 billion to investors and pay a $18.5 million civil penalty. This settlement was likely the last straw for Durov, facing financial ruin.
Durov may have made a deal with the Kremlin and the FSB to survive. This hypothesis would have required him to give the FSB access to Telegram's encryption keys, allowing them to monitor users' communications.
The timing of Telegram's preliminary injunction in the Southern District of New York in March 2020 and the June 2020 SEC settlement also suggests that Durov may have made a deal with the Kremlin after exhausting all other options. The preliminary injunction prevented the SEC from shutting down Telegram, giving Durov time to negotiate a settlement with the SEC. Given the severity of the SEC's allegations against Durov, the settlement was relatively lenient.
It is extremely unlikely that Durov's first choice was to accept money from Kremlin-linked investors. However, he may have felt he had no choice but to save Telegram. In conclusion, Pavel Durov likely made a Faustian Bargain with the FSB to survive and preserve Telegram.
While Telegram offers a robust set of features that has attracted over a billion users worldwide, it is not without its challenges. The issues surrounding its supposed encryption, uncomfortable ties to the Russian government, lack of user account security, and its use as a platform for spreading disinformation highlight the complexities of maintaining security and integrity on centralized digital platforms.
Users in countries friendly with Russia, such as Iran, China, India, Belarus, Kyrgyzstan, and Tajikistan, should be very careful when using Telegram. If you are politically active or critical of your home country, it is possible that your user data is being shared with your government. Users and stakeholders must stay informed about these issues and take necessary precautions.
In the wake of Russia's invasion of Ukraine, Telegram faces new challenges, such as increased scrutiny from Western governments and the potential for the platform to be used to spread Russian propaganda. However, Telegram also has the potential to be used as a platform for democratic activism in authoritarian countries (but users should be concerned with the lack of encryption). It remains to be seen how Telegram will navigate these challenges.