Surveillance of an XMPP-Based Instant Messaging Service 

Recent discoveries have discovered a legitimate effort to covertly intercept traffic from jabber.ru (also known as xmpp.ru), an XMPP-based instant messaging service, through servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.

A security researcher operating under the pseudonym ValdikSS reported, 

“The attacker has issued several new TLS certificates through the Let’s Encrypt service, which were employed to hijack encrypted STARTTLS connections on port 5222 via a transparent man-in-the-middle proxy.”

Details About the Attack

The attack was exposed due to the expiration of one of the MiTM (Man-in-the-Middle) certificates, which was not renewed. 

Available evidence suggests that the traffic redirection was configured within the hosting provider network, effectively ruling out other possibilities like a server breach or a spoofing attack.

This wiretapping operation is estimated to have persisted for up to six months, commencing on April 18, 2023. However, it is confirmed to have occurred at least since July 21, 2023, and continued until October 19, 2023.

Suspicious activity was initially detected on October 16, 2023, when one of the UNIX administrators of the service received a “Certificate has expired” notification while connecting to it.

Is the Activity Still Going On?

The threat actor is believed to have ceased their activities following the commencement of an investigation into the MiTM incident on October 18, 2023. 

The perpetrator’s identity remains uncertain, but there is suspicion that this may be a case of lawful interception in response to a request from German law enforcement.

However, another less likely but not impossible hypothesis is that the MiTM attack represents an intrusion into the internal networks of both Hetzner and Linode, specifically targeting jabber.ru.

“The nature of the interception allows the attackers to execute actions as if they were conducted from an authorized account, without knowledge of the account password,” the researcher explained.

How Does it Work?

This implies that the attacker could download the account’s roster, access unencrypted server-side message history, send new messages, or modify existing messages in real-time.

Service users are strongly advised to assume that their communications over the past 90 days may have been compromised. 

Additionally, they should check their accounts for any new, unauthorized OMEMO and PGP keys in their PEP storage and consider changing their passwords.

Image description: PGP encryption.

What’s Your Course Forward?

The shadowy identity of the threat actor behind this operation highlights the complexity of attributing cyberattacks. 

The blurred lines between legitimate law enforcement activities and malicious intrusions into network infrastructures pose ethical implications. This incident prompts a reconsideration of the balance between privacy and security in the digital age.

It is a wake-up call for cybersecurity professionals and the wider public which trains them for continuous innovation in security technologies, increased user awareness, and a renewed focus on policy and legal frameworks.