US Officials Told: Use Encryption to Avoid Chinese Phone Hacks

US telecommunication systems have been so badly compromised by Chinese hackers that senior government officials have been told to ditch regular phone calls and text messages.

The Cybersecurity and Infrastructure Security Agency issued a warning on Wednesday in the wake of a hacking incident described as the most widespread ever by Chinese cyber spies.

It said: “Individuals who are in senior government or senior political positions” should “immediately review and apply” best practices in regard to their use of mobile devices.

ALSO SEE: US Looking to Ban Sales of China’s TP-Link Routers: Report

The first recommendation was: “Use only end-to-end encrypted communications.”

End-to-end encryption – a data protection technique which aims to make data unreadable by anyone except its sender and its recipient – is baked into various chat apps, including Meta Platforms’ WhatsApp, Apple’s iMessage, and the privacy-focused app Signal.

Corporate offerings which allow end-to-end encryption also include Microsoft’s Teams and Zoom Communications’ online meetings, Reuters said.

Neither regular phone calls nor text messages are end-to-end encrypted, which means they can be monitored, either by phone companies, law enforcement, or – potentially – hackers who’ve broken into the phone companies’ infrastructure.

That’s what happened in the case of the cyber spies dubbed “Salt Typhoon,” a group that US officials have said is being run by the Chinese government and has taken a huge amount of data about US callers.

Beijing routinely denies allegations of cyber espionage.

‘Largest hack in US history’

But a senior US official said earlier this month that “at least” eight telecom and telecom infrastructure firms in the United States were compromised by the Salt Typhoon hackers and “a large number of Americans’ metadata” was stolen in the surveillance sweep.

Democratic Senator Ben Ray Lujan said last week the wave of intrusions “likely represents the largest telecommunications hack in our nation’s history.”

Family members of US president-elect Donald Trump and officials from the Joe Biden administration were among those targeted.

And it’s not clear that American officials have figured out how to defeat the hackers’ spy campaign.

Jeff Greene, CISA’s executive assistant director for cybersecurity, told reporters on Wednesday that the investigation remains ongoing and various targeted agencies and people are at different stages of their response.

The Salt Typhoon compromise “is part of a broader pattern of PRC activity directed at critical infrastructure,” Greene said, referring to Chinese-linked cyber operations focused on utilities and other sensitive networks and tracked under the nickname “Volt Typhoon.”

“This is ongoing PRC activity that we need to both prepare for and defend against for the long term,” Greene said.

‘Huge indictment of US telecoms’

Communicating only via end-to-end encryption has long been a recommendation pushed by digital safety experts like those at the Electronic Frontier Foundation, whose senior staff technologist Cooper Quintin welcomed the guidance. Still, he said the idea that the government was steering its own officials away from the regular phone network was worrying.

“It is a huge indictment of the telecoms that run the nation’s infrastructure,” he said.

Other recommendations include avoiding text messages based on one-time passwords – like the kind often sent by US banks to verify logins – and using hardware keys, which help protect against a password-stealing technique known as phishing.

Tom Hegel, a threat researcher at cybersecurity company SentinelOne echoed Cooper’s endorsement of the CISA guidelines, saying that “Chinese actors aren’t the only ones continuing to collect unsecured communications.”

A wide variety of spies and hackers “all stand to lose valuable access if their targets adopt these security measures,” he said.