CISA releases mobile best practices guide for high-value persons after China telecos attacks


The US Cybersecurity and Security Infrastructure Agency (CISA) on Wednesday released a best practices guide for government officials aimed at securing mobile communications after several reports of China attacks on US telecommunications companies.

The five-page “Mobile Communications Best Practice Guidance” memorandum is designed to protect what CISA refers to as “high-value individuals,” meaning “senior government or senior political positions and likely to possess information of interest to these threat actors.”

The guide comes after multiple reports of Chinese-backed threat actors infiltrating telecommunications companies this year, including one instance of hacking Verizon and the phone records of Trump, VP candidate JD Vance, and Harris staffers.

ADVERTISEMENT

More recently, Chinese threat actor Salt Typhoon was discovered to have breached several internet service providers in the US, all leading to a November 13th joint CISA/FBI warning that China has been actively targeting commercial telecommunications infrastructure.

"People’s Republic of China (PRC)-affiliated threat actors are targeting telecom infrastructure to steal call records & compromise communications of highly targeted individuals,” CISA posted on X.

“Protect yourself: Use end-to-end encrypted communications, such as Signal or similar apps,” it said.

Assume all communications are at risk of compromise

CISA is urging all high-profile individuals to “immediately review and apply” the eight best practices listed in the guide, the first being the use of end-to-end encryption, a directive first issued by CISA and FBI officials earlier this month.

“Highly targeted individuals should assume that all communications between mobile devices – including government and personal devices—and internet services are at risk of interception or manipulation,” CISA said.

ADVERTISEMENT

The guide instructs users to choose encrypted apps that support one-on-one text chats, group chats with up to 1,000 participants, and encrypted voice and video calls, with disappearing messages a plus for sensitive communications.

As always, CISA also reminds users to be aware of how the apps process and store metadata.

Next, the cybersecurity agency said all high-value persons should be using FIDO phishing-resistant authentication to log into accounts, such as their Microsft. Apple, and Google accounts.

Considered the strongest form of multi-factor authentication, suggested ‘Enable Fast Identity Online’ or FIDO services include Yubico or Google Titan, also noting that FIDO passkeys “are an acceptable alternative.” Gmail users are instructed to enroll in Google’s Advanced Protection (APP) program.

Niamh Ancell BW Marcus Walsh profile Paulina Okunyte vilius
Don’t miss our latest stories on Google News

The third recommendation piggybacks off the first, reminding users that SMS messages are not encrypted, and that threat actors with access to a telecommunication provider’s network can intercept these messages and read them.

The fourth and fifth best practices are to always use a password manager and to set up an additional telcos PIN or passcode, which is then required to log into that user’s mobile phone account.

Setting up a PIN for sensitive transactions – such as porting a mobile phone number – can help protect the users from SIM swapping attacks.

Recommendations six and seven urge users to always update to the latest software, and to look for the latest hardware version of their cell phone manufacturer.

Finally, the guide warns users against using a VPN to mask their IP address, unless of course required as part of their jobs.

ADVERTISEMENT

CISA says “personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface.”

The guide gives further recommendations specifically for Android and Apple platforms.