Telegram recently brought back group video chats within Telegram channels. This presents an interesting feature return that can present new avenues for threat actors to communicate and coordinate at scale, beyond just text and voice. It allows for conference group video calls.
There are plenty of legitimate uses of this feature on the encrypted messaging platform, however, video sharing has often been a popular method to stimulate followers of an emerging situation or coordinate activities of a group. When we look at the de-platforming that occurred after the US Capitol events (see our free in-depth reports here: https://www.osintcombine.com/reports) and having an unmoderated platform can present risks for ground-swell to take hold without any ability to remove inappropriate content.
Using alt-tech platforms for distributing questionable content isn't new, but Telegram video chat presents a new risk in the way groups can build up a following in a closed (or open) channel and use more direct visceral methods to coordinate or stimulate followers with immediate feedback through video conference calls.
This article is focused on how we can firstly collect media directly from channels, and then understand how the new video conference chat feature works. Note: this article is based on having a persona/account that can access Telegram directly for native collection. Apply your own OPSEC considerations as required here. There are lots of great resources for non-native Telegram searching & exploitation, this is more focused on more direct channel monitoring.
There are several ways to access Telegram for native viewing:
Of course, there are plenty of bespoke services, websites & databases. This article is focused on native access for source validation & verification.
If we want to focus on speed & efficiency, using the web client for Telegram is useful. Visit https://web.telegram.org and log in with your account to get started.
You will notice that a new version of the client is available and forwards you to: https://web.telegram.org/k/ - there are also other versions of the web client available. Simply change the /k/ to a /z/ or /?legacy=1 to see the different versions:
To access easier scraping methods using browser plugins or manual techniques, you will want to use this version as it doesn't change your right-click methods.
Scraping media in a channel:
Using the legacy web client, install this handy Chrome plugin for rapid collection: https://chrome.google.com/webstore/detail/scraper/mbigbapnjcgaffohmbkdlecaccepngjd
When you are viewing a channel, simply right-click on any image and click "Scrape similar.."
You will then be presented with a list of "blob" objects which reference the hosted URL of the image. A blob object is a "Binary Large Object" that is responsible for holding data. Simply put, you can use this direct URL to access & download the image directly & at scale.
Accessing the "blob" objects of the mentioned images isn't as easy in the new web client. This is because the new interface provides more functionality for the user, but removes the right-click ability of the browser which renders the plugins we usually use ineffective.
To get around this, simply access the "Developer Tools" and go to the network tab->filter by "blob" and you will be able to see the same image URLs being processed:
Where are the video calls?
Video & audio conference calls are separate from standard chats & audio/video sharing within a Telegram channel or group. They can be started from the mobile or desktop client. When a user clicks the group's title bar, they are able to select & start an audio chat. From there they can enable video & screen sharing.
The video conference calls are limited to the first 30 people who join the voice chat at the moment. However, it is unlimited for audio-only conference calls.
The mobile app has a display similar to below:
As the video/audio chats are live and not stored or indexed (from what we can see), being aware of the requirement to see a) where these are showing up around the internet during events and b) the requirement to possibly access them directly to build the context of what is being said could be important planning consideration depending on your requirements.
Chat Link Sharing
Telegram provides the ability to share a direct link for joining a group, channel, or chat. The consideration here is during an emerging event or situation, organisers can easily distribute a link for a direct communications channel outside of their immediate Telegram group.
Keeping an eye on URLs that are Telegram audio/video chats should be a consideration for anyone conducting persistent monitoring of threat groups. The URLs will have "t.me/joinchat" in them.
We can use Google advanced searching to see how this looks when searching directly on the site, or mentions of the chat links whilst excluding the site "t.me":
We can apply additional search parameters to narrow down to particular topics or areas.
Additional Telegram OSINT Tools
There are some well-known tools that are common in any OSINT toolbox for Telegram. These tools generally provide the start point for finding channels or groups of interest, which you can combine with the techniques above for scraping in-channel data once you have joined or viewed (if they are open) using your personas.
Below are our picks:
Lyzem: https://lyzem.com/ - this tool is great for filtering by channels, groups, bots & telegraphs.
Telegago: https://cse.google.com/cse?&cx=006368593537057042503:efxu7xprihg#gsc.tab=0 - this custom google search engine is great for creating efficiencies with searching. If you take the principles of what domains it is searching against, you can build your own around specific needs.
Telegram Analytics: https://tgstat.ru/en/search - this is a deep collection platform. You should take OPSEC considerations into account when using this tool. However, there is a vast amount of data even with the free access that could be useful for initial searching.
Building your own tools
If you are comfortable with Python development & looking to build your own Telegram tools, there is a great library called Telethon (https://github.com/LonamiWebs/Telethon).
This is a good start point to learning about the possibilities of Telegram API development and building targeted applications. However, it is beyond the scope of this article so we will leave that for another post.
Telegram is a widely used platform with even greater uptake since WhatsApp privacy policies changed earlier in the year which saw more and more users switching over to alternative platforms. With the recent announcement of "Shops" being integrated into WhatsApp (https://techcrunch.com/2020/10/22/facebook-adds-hosting-shopping-features-and-pricing-tiers-to-whatsapp-business/), this will likely stimulate more concerns around unwanted sharing of user chat data on that platform to feed into advertising pipelines. Ultimately this may result in more users switching to alternative messaging platforms.
As Telegram continues to grow in popularity, it is important to know how the platform works and what services it offers. The new video-chat/conference feature is an interesting addition that brings its capabilities in line with most other encrypted messaging apps and will be something to keep an eye on for how it is used by communities in the future.