The US government’s Consumer Financial Protection Bureau (CFPB) is directing employees to minimize the use of cellphones for work-related activities, following an intrusion into major telco systems attributed to Chinese government hackers.
According to a Wall Street Journal report, the agency sent an email to all employees and contractors with a simple directive: “Do NOT conduct CFPB work using mobile voice calls or text messages.”
The warning comes on the heels of a series of hacks into US telcos and broadband providers blamed on Salt Typhoon, a Chinese government-backed cyberespionage hacking operation. The group has reportedly broken into companies like Verizon, AT&T and Lumen Technologies and has used that access to surveil politicians and critical communications systems.
“While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised,” the CFPB said in the email.
The Journal said the CFPB’s security leadership has advised staff to avoid discussing nonpublic data via voice calls or text messages on either work-issued or personal phones. Instead, government employees were instructed to use secure platforms like Microsoft Teams and Cisco WebEx to mitigate risks.
While the CFPB confirmed no direct targeting of its systems, the directive aligns with federal concerns over the scope of the Salt Typhoon intrusions that has ensnared sensitive communications of key U.S. government officials, senior policymakers, and political figures.
According to reports, the Chinese hacking team has already siphoned data on calls recorded phone audio from high-value targets in the US, including individuals associated with both US presidential campaigns.
Technical details and official information on the Salt Typhoon intrusions are being kept under wraps.
Related: China’s Salt Typhoon Hacked AT&T, Verizon: Report
Related: Censys Finds Exposed Servers as Volt Typhoo Targets Service Providers
Related: China’s Volt Typhoon Exploiting Zero-Day in Servers Used by ISPs, MSPs
Related: Five Eyes Agencies Issue New Alert on Chinese APT Volt Typhoon