Because of an unprecedented cyberattack on phone companies like AT&T and Verizon, U.S. officials have told people to use encrypted texting apps to keep their messages safe from hackers in other countries.
It was called “Salt Typhoon” by Microsoft, and it was one of the biggest leaks of U.S. information in history. It hasn’t been fully fixed yet. During a news call on Tuesday, officials refused to say when the country’s phone lines would be free of outsiders. Government sources told NBC News that China broke into AT&T, Verizon, and Lumen Technologies to spy on users.
A representative for the Chinese Embassy in Washington, D.C., did not answer right away when asked for comment.
During the call on Tuesday, two officials—a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency—suggested that Americans who want to keep China from reading their messages use encrypted messaging apps.
Our advice, which is something we’ve already told people inside the company, is not new: encryption is your friend, whether you’re texting or talking on the phone. Greene said, “Even if the enemy can get the data, they won’t be able to do so if it is encrypted.”
The FBI official said, “People who want to make their mobile device communications even safer should think about getting a cellphone that gets regular operating system updates, responsibly managed encryption, and phishing-resistant multi-factor authentication for email, social media, and collaboration tool accounts.”
Greene said that the deal of telecoms was so big that it was “impossible” for the agencies to say “when we’ll have full eviction.”
An FBI source said that the hackers mostly got to three types of information.
One kind is call records, also called metadata, which list the phone numbers that were called and the times they were called. They mostly looked at records from the Washington, D.C., area. The FBI has no plans to tell people whose phone metadata was viewed.
The second kind has been live phone calls with certain people. The FBI official wouldn’t say how many alerts it had sent to people who were part of that campaign. In October, the presidential campaigns of Donald Trump and Kamala Harris, as well as the office of Senate Majority Leader Chuck Schumer, D-N.Y., told NBC News that the FBI had told them they were targets.
Third, there are methods that phone companies use to follow the rules set by the Commission on Accreditation for Law Enforcement Agencies (CALEA). These rules let police and intelligence agencies listen in on people’s conversations when they have a court order to do so. CALEA devices can store secret court orders from the Foreign Intelligence Surveillance Court. This court handles some U.S. intelligence court orders. The FBI agent would not say if any secret information was seen.
End-to-end protected apps have been pushed by privacy advocates for a long time. End-to-end encryption is used immediately for both calls and messages on Signal and WhatsApp. Calls and texts can also be encrypted from start to finish in Google Messages and iMessage.
The FBI and other government law enforcement agencies have a complicated relationship with encryption technology. In the past, they have pushed against full end-to-end encryption, which means that even with warrants, police can’t get to digital content. On the other hand, the FBI has also backed encryption methods that sometimes let law enforcement in.
The hacking effort was first made public before the election, but the U.S. doesn’t think it was an attempt to change the results, according to an FBI official. Instead, the U.S. thought it was a massive, normal spying operation by China to learn more about American politics and government.
“This looks like a cyberespionage campaign to us, just like all the others.” The FBI official said, “They were very specific about the telcos and ISPs in how they did it, but it falls under cyber espionage.”
Ron Wyden, D-Ore, one of the Senate’s strongest privacy advocates, told NBC News that he didn’t think America should depend on CALEA because it doesn’t encrypt such private data.
“Whether it’s AT&T, Verizon, Microsoft, Google, or any other company, when they get hacked, China and other enemies can take those communications,” he said.
