The US Consumer Financial Protection Bureau (CFPB) has issued an urgent directive barring employees and contractors from using mobile phones for work-related calls, following a major breach in US telecommunications infrastructure attributed to Chinese-linked hackers.
According to an internal memo, CFPB’s chief information officer advised staff to move sensitive discussions to secure platforms like Microsoft Teams and Cisco WebEx, reported the Wall Street Journal (WSJ).
Directive follows ‘Salt Typhoon’ attack on telecom infrastructure
The warning, prompted by fears of eavesdropping and data theft, follows what officials describe as an extensive espionage campaign believed to be carried out by a Chinese-linked hacking group, Salt Typhoon.
This group is reported to have gained unauthorized access to major US telecommunications infrastructure, including data from Verizon and AT&T, compromising the privacy of potentially thousands of Americans.
“Do NOT conduct CFPB work using mobile voice calls or text messages,” the report said quoting the directive, urging employees to refrain from using both personal and work-issued phones for any discussions involving sensitive or non-public information.
CFPB’s chief information officer emphasized in the email that, while there is no indication that CFPB itself was directly targeted, the directive is a proactive measure to reduce risks.
“While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised,” the email sent to all CFPB employees and contractors read.
Data access raises alarm over espionage targets
Salt Typhoon’s infiltration reportedly gave them access to extensive data, including call logs, unencrypted text messages, and even audio recordings of high-profile individuals connected to national security and political campaigns, including members of the Trump and Harris presidential campaigns, according to WSJ.
“Salt Typhoon’s access to call logs, unencrypted texts, and audio communications poses a severe threat to national security. Such data can reveal sensitive information about government operations, defense strategies, and intelligence activities,” said Arjun Chauhan, senior analyst at Everest Group. “For individuals in sensitive roles, this breach compromises personal security, exposes confidential communications, and increases the risk of coercion or blackmail.”
While US agencies regularly remind employees of cybersecurity best practices, the specificity of the CFPB’s directive reflects heightened government concerns about the nature and scope of this particular breach.
“Several government officials, wary of these vulnerabilities, have already limited their cellphone use,” the report quoted a former official, noting that this caution stems from an awareness that hackers can scoop up sensitive interactions with senior officials and policymakers.
In September this year, the same threat actor, Salt Typhoon, had allegedly hacked US ISPs for cyber espionage.
Federal cybersecurity on high alert
The Cybersecurity and Infrastructure Security Agency (CISA), the federal body responsible for guiding cybersecurity policy across US civilian agencies, has yet to issue an official response to the attack. However, the scale of this breach has prompted discussions on reevaluating mobile communication policies within federal agencies.
A query to CISA remains unanswered.
“Beyond restricting mobile device use, agencies should implement end-to-end encryptions for all communications to prevent unauthorized access,” Everest Group’s Chauhan added. “Regular security audits and updates of telecom infrastructure are essential to identify and patch vulnerabilities. Training employees on recognizing phishing attempts and secure communication practices can further reduce risks.”
Besides, establishing incident response protocols ensures swift action in case of a breach, minimizing potential damage,” Chauhan noted.
The CFPB’s directive underscores the need for secure communication channels within the US government amid increasing risks from foreign adversaries. The full extent of the breach and the details of any other compromised agencies remain under investigation, with federal agencies, particularly those in national security, expected to tighten communication protocols to safeguard against similar threats.
As investigators continue to assess the impact of Salt Typhoon’s attack, this incident serves as a stark reminder of the importance of stringent cybersecurity protocols to protect sensitive information from sophisticated espionage efforts.