Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
US telecommunications giant AT&T disclosed a breach in July that involved six months’ worth of call and text messaging records from “almost all” of its more than 100 million customers. In addition to exposing personal communications data for a number of individual Americans, however, the FBI has been alerted that call and text records of its agents were also included in the breach. A document seen and first reported by Bloomberg indicates that the agency has been scrambling to mitigate any potential fallout that could lead to revelations about the identities of anonymous sources connected to investigations.
The breached data did not include the content of calls and texts, but Bloomberg reports that it would have shown communication logs for the agents’ mobile numbers and other phone numbers they used during the six-month period. It is unclear how widespread the stolen data was, if at all. WIRED reported in July that after hackers tried to extort AT&T, the company paid $370,000 in an attempt to delete the data. In December, US investigators charged and arrested a suspect who reported was behind the entity that threatened to leak the stolen data.
The FBI told WIRED in a statement: “The FBI continually adapts our operational and security practices as physical and digital threats evolve. The FBI has a solemn responsibility to protect the identity and security of confidential human sources, who provide daily information that keeps the American people safe, often at risk to themselves.
AT&T spokesman Alex Byers said in a statement that the company “worked closely with law enforcement to mitigate the impact to government operations” and appreciates the “thorough investigation” they have carried out “Given the growing threat from cybercriminals and nation-state actors, we continue to increase investments in security and to monitor and remediate our networks,” adds Byers.
The situation is emerging amid ongoing revelations about a different hacking campaign perpetrated by the Salt Typhoon spy group in China, which has compromised a host of American telecommunications companies, including AT&T. This separate situation exposes call and text records for a smaller group of specific high-profile targets, and in some cases includes recordings and even information such as location data.
As the US government struggles to respond, a recommendation from the FBI and the Cybersecurity and Infrastructure Agency has been for Americans to use end-to-end encrypted platforms, such as Signal o WhatsApp– to communicate. Signal in particular stores almost no metadata about its customers and will not reveal which accounts have communicated with others if it has been breached. The suggestion was sound advice from a privacy perspective, but it was very surprising given the US Department of Justice the historical opposition to the use of end-to-end encryption. If the FBI is faced with the possibility that its own informants could be exposed by a recent telecommunications breach, however, the about-face makes more sense.
If agents strictly follow protocol for investigative communications, however, the stolen AT&T call and text records don’t pose much of a threat, says former NSA hacker and Hunter Strategy vice president of research Jake Williams. Standard operating procedure should be designed to account for the possibility that call records may be compromised, he says, and should require agents to communicate with sensitive sources using phone numbers that have never been linked to them or the government. of the United States. The FBI could have warned about the AT&T breach out of an abundance of caution, Williams says, or it could have discovered that agent mistakes and protocol errors were caught in the stolen data. “This wouldn’t be a counterintelligence issue unless someone didn’t follow procedure,” he says.
Williams also adds that while the Salt Typhoon campaigns are only known to have impacted a relatively small group of people, they have affected many telecommunications, and the full impact of these breaches may not yet be known.
“I worry about the FBI sources who might be affected by this AT&T exposure, but more broadly the public still doesn’t have a full understanding of the fallout from the Salt Typhoon campaigns,” Williams says. “And it looks like the U.S. government is still working to figure that out, too.”
