Hackers likely stole FBI call logs from AT&T that could put informants at risk
US telecom giant AT&T disclosed a breach in July that affected six months of 2022 call and text message logs of “almost all” of its more than 100 million customers. However, in addition to disclosing personal communications data from a number of individual Americans, the FBI warned that its agents’ call and text records were included in the breach. A document seen and first reported by Bloomberg notes that the FBI has made efforts to mitigate potential consequences that could result in revelations about the identities of anonymous sources in connection with investigations.
The breached data did not include the content of calls and text messages, but Bloomberg reports that communication logs were viewed for the agents’ cell phone numbers and other phone numbers they used during the six-month period. It is unclear how widely the stolen data was distributed, if at all. WIRED reported in July that after the hackers attempted to blackmail AT&T, The company paid $370,000 to try to have the trove of data deleted. In December, US investigators charged and arrested a suspect allegedly was behind the entity that threatened to reveal the stolen data.
The FBI tells WIRED in a statement: “The FBI continually adapts our operational and security practices as evolving physical and digital threats.” The FBI has the solemn responsibility to protect the identity and security of confidential human sources who provide information every day to ensure the safety of the American people, who are often themselves in danger.”
AT&T spokesman Alex Byers said in a statement that the company has “worked closely with law enforcement to mitigate the impact on government operations” and appreciates the “thorough investigation” they conducted. “As the threat from cybercriminals and nation-state actors increases, we continue to increase investments in security, monitoring and remediation of our networks,” Byers added.
The situation is coming to a head amid ongoing revelations about another hacking campaign by Chinese spy group Salt Typhoon that has compromised numerous U.S. telecommunications companies, including AT&T. In this separate situation, call and text logs for a smaller group of specific high-profile targets were exposed, in some cases including recordings as well as information such as location data.
While the U.S. government struggled to respond, an FBI recommendation and the Cybersecurity and Infrastructure Security Agency has enabled Americans to use end-to-end encrypted platforms signal or Whatsapp– communicate. Signal, in particular, stores almost no metadata about its customers and would not reveal which accounts have communicated with each other in the event of a breach. The suggestion was good advice from a data protection perspective, but was very surprising given the opinion of the US Department of Justice historical opposition on the use of end-to-end encryption. But if the FBI has grappled with the possibility that its own informants were exposed by a recent telecommunications breach, the about-face makes more sense.
But if agents strictly followed investigative communications, the stolen AT&T call and text logs might not pose much of a threat, says Jake Williams, a former NSA hacker and vice president of research at Hunter Strategy. Standard operating procedures should be designed to take into account the possibility that call logs could be compromised, he says, and require agents to communicate with sensitive sources using phone numbers that have never been associated with them or the U.S. government. The FBI may have warned about the AT&T breach out of an abundance of caution, Williams says, or perhaps discovered that agent errors and protocol errors were captured in the stolen data. “This wouldn’t be a counterintelligence problem unless someone didn’t follow procedure,” he says.
Williams also adds that while the Salt Typhoon campaigns are known to have only affected a relatively small group of people, they have affected many telecommunications companies and the full impact of these breaches may not yet be known.
“I am concerned about the FBI sources who may be affected by this AT&T revelation, but by and large the public still does not have a full understanding of the consequences of the Salt Typhoon campaigns,” Williams said. “And it appears the U.S. government is still working to get a handle on that as well.”
