In July, AT&T, a major telecommunications provider in the United States, revealed a significant data breach affecting call and text message logs of its customers, covering approximately six months in 2022. This breach potentially compromised the personal communications of nearly all of its over 100 million customers. The situation has raised concerns not only for individuals but also for the FBI, as it was reported that the call and text records of its agents were also part of the exposed data. A document, first reported by Bloomberg, highlights that the bureau is actively working to mitigate risks associated with the exposure that might impact the identities of confidential informants involved in ongoing investigations.
While the compromised data did not include the actual contents of conversations or messages, it provided access to communication logs associated with both agents’ and other phone numbers utilized during the breach period. Details regarding the extent to which the stolen data has disseminated remain unclear. According to WIRED, AT&T reportedly negotiated a $370,000 payment to hackers to eliminate the stolen data following an attempted extortion. In December, law enforcement apprehended a suspect believed to be linked to this extortion attempt.
The FBI has articulated its obligations to safeguard the identities and safety of its informants, emphasizing the need for continual adaptation to the evolving landscape of physical and digital threats. The agency recognizes that its sources often operate at considerable personal risk in providing vital information for the safety of the American public.
In a statement, an AT&T spokesperson conveyed the company’s commitment to collaborating with law enforcement to mitigate the impact on government operations. The spokesman acknowledged the increasing threats posed by cybercriminals and emphasized ongoing investments in cybersecurity measures to safeguard their networks.
This breach coincides with revelations regarding activities by China’s Salt Typhoon espionage group, which has targeted various US telecom companies, including AT&T. This separate incident has allegedly exposed communication logs of high-profile individuals and, in some instances, even recorded conversations and location data.
In light of these incidents, the FBI and the Cybersecurity and Infrastructure Security Agency have advised Americans to utilize end-to-end encrypted messaging platforms, such as Signal or WhatsApp. These platforms minimize metadata storage, thereby enhancing user privacy. The recommendation stands out, especially considering the historical resistance from the US Justice Department towards such encryption practices.
Jake Williams, a former NSA hacker and current vice president of research at Hunter Strategy, notes that if FBI agents adhered strictly to prescribed protocols, call logs obtained from the AT&T breach should not pose a significant risk. Standard operational guidelines are expected to take into account the possibility of call log compromises, mandating agents to utilize phone numbers that have no ties to their identities or the government. Williams suggests that the FBI may be issuing cautions regarding this breach as a precautionary measure or may have discovered operational errors captured in the stolen data.
It is important to recognize that while the Salt Typhoon operations have predominantly affected a limited group of targets, the ramifications for the telecommunications sector are profound, and the full impact of these breaches remains to be fully assessed. As Williams indicates, concerns persist regarding potentially affected FBI sources in relation to the AT&T incident, and the public has yet to grasp the extent of the fallout from the Salt Typhoon campaigns.
In examining the possible tactics and techniques employed during the AT&T breach, relevant MITRE ATT&CK adversary strategies include initial access through phishing or exploitation of vulnerabilities, persistence by maintaining access to systems long-term, and privilege escalation to gain elevated permissions. These tactics reflect the sophisticated methodologies criminals leverage to infiltrate systems and exfiltrate sensitive data, posing ongoing risks that business owners must remain vigilant against in their cybersecurity strategies.
