CISA issues mobile security guidance following China hacks

CISA released mobile security best practices Wednesday for "highly targeted individuals" who could be threatened by nation-state actors in the wake of the People's Republic of China targeting commercial telecommunications infrastructure.

The guidance followed a separate statement released by the FBI and CISA on Nov. 13 confirming reports that the Chinese government, via nation-state threat actors, breached major telecommunications providers as part of a far-reaching espionage campaign.

At the time, the two agencies said they had "identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders."

The telecom breaches first came to light in late September in a Wall Street Journal report on a Chinese nation-state hacking group that investigators refer to as "Salt Typhoon." In a follow-up story in October, the WSJ reported that Salt Typhoon had compromised several companies, including AT&T, Verizon and Lumen Technologies, and stole sensitive communications, such as data for law enforcement agency requests. CISA and the FBI later confirmed that report.

The CISA guidance for securing mobile communications, published Wednesday, references this activity. As such, it is specifically for individuals who are more likely to be targeted in espionage activity, such as high-ranking government officials.

"While applicable to all audiences, this guidance specifically addresses 'highly targeted' individuals who are in senior government or senior political positions and likely to possess information of interest to these threat actors," the guidance read. "CISA is releasing this best practice guidance to promote protections for mobile communications from exploitation by PRC-affiliated and other malicious cyber threat actors."

The guidance includes general advice as well as more specific recommendations for Android and iPhone users. CISA urged highly targeted individuals to "immediately review and apply" the best practices to protect their communications in the wake of the telecom breaches. "Highly targeted individuals should assume that all communications between mobile devices -- including government and personal devices -- and internet services are at risk of interception or manipulation," the agency said.

Broadly, CISA recommended using phishing-resistant FIDO authentication, migrating away from SMS-based MFA to more secure methods, using a password manager, setting a PIN and MFA for one's mobile carrier account, regularly updating software, opting for the latest available phone hardware and not using a personal VPN.

Notably, CISA advised using end-to-end encryption (E2EE) to protect private communications. "Adopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps. CISA recommends an end-to-end encrypted messaging app that is compatible with both iPhone and Android operating systems, allowing for text message interoperability across platforms," the guidance said.

The U.S. government, and specifically the FBI, had previously criticized E2EE as a tool that threat actors, criminals and terrorists use to hide illegal activity from law enforcement agencies, which were at risk of "going dark." The FBI later shifted its position to recommend "responsible encryption," or technology that would enable law enforcement agencies to access encrypted data and communications -- which would eliminate E2EE.

During a media briefing on the guidance Wednesday, CISA Executive Assistant Director for Cybersecurity Jeff Greene emphasized the importance of E2EE.

"We are very focused in particular on getting folks end-to-end encryption as quickly as possible," he said. "Encryption is your friend. It makes your data unreadable, even if the adversary were to compromise it."

During the call's Q&A, Greene was asked about the FBI's regular recommendation of "responsibly managed" encryption, which the agency broadly defines as secure encryption that would still be readable in the case of a lawful court order. In response, Greene said, "I cannot speak to or for the FBI."

For iPhone users, CISA advised highly targeted individuals to enable Lockdown Mode, disable sending messages via SMS, protect one's own DNS queries, enroll in Apple iCloud Private Relay, and review and restrict app permissions as needed. Android users, meanwhile, should prioritize phone models from manufacturers with strong security track records, only use Rich Communication Services if end-to-end encryption is enabled, configure Android private DNS, and similarly review and restrict app permissions.

During the media briefing, Greene was asked whether the PRC's targeting of individuals could be characterized as an ongoing compromise. Greene in response said the investigation is "absolutely ongoing," but stopped short of saying it reflects anything specific that China is doing at this very moment.

"I think, more broadly speaking, this particular Salt Typhoon communications compromise is part of a broader pattern of PRC activity directed at critical infrastructure," he said. "So I hesitate to narrow it to this specific campaign, because this is ongoing PRC activity that we need to both prepare for and defend against for the long term."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.