Full Report
CBP says it has "disabled" its use of TeleMessage following reports that the app, which has not cleared the US government's risk assessment program, was hacked.
Analysis Summary
# Incident Report: CBP Use of Hacked TeleMessage Signal Clone
## Executive Summary
The United States Customs and Border Protection (CBP) confirmed the use of the TeleMessage application, a clone of Signal used for archiving communications, after reports surfaced that the vendor's services had been breached. Following the detection of the cyber incident and subsequent analysis revealing critical security flaws in the app's implementation, CBP immediately disabled the service as a precautionary measure. The incident highlights significant security risks associated with using non-FedRAMP approved third-party communication tools, especially those handling sensitive government data.
## Incident Details
- Discovery Date: Sometime prior to May 7, 2025 (date reports of breaches emerged and WIRED contacted CBP).
- Incident Date: The actual timeline of the TeleMessage breaches is ongoing, with multiple reported incidents leading up to the confirmation of CBP's usage.
- Affected Organization: Customs and Border Protection (CBP).
- Sector: Government / Law Enforcement.
- Geography: United States.
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed/Ongoing (Attacks occurred on the TeleMessage platform).
- Vector: Exploitation of security weaknesses within the TeleMessage archiving platform.
- Details: Reports indicated a series of breaches affecting TeleMessage, stemming from analysis showing fundamental flaws in the service's security scheme, potentially including sending message logs in plaintext.
### Lateral Movement
- Not applicable; the initial compromise appeared focused on the third-party vendor (TeleMessage) hosting the communications archive, not internal CBP systems accessing TeleMessage directly.
### Data Exfiltration/Impact
- Data potentially exfiltrated from the TeleMessage platform belonging to various government users, including CBP.
- A key impact was the exposure of data and metadata related to high-ranking officials communicating via the cloned Signal application.
### Detection & Response
- **Detection:** The issue was detected when previous data stolen from TeleMessage indicated CBP was potentially a customer, prompting WIRED to investigate, which led to public confirmation.
- **Response Actions:** CBP spokesperson confirmed they "immediately disabled TeleMessage as a precautionary measure."
## Attack Methodology
- **Initial Access:** External actors gained unauthorized access to the TeleMessage service infrastructure, exploiting known or unknown vulnerabilities.
- **Persistence:** Not applicable to the government agency's network; persistence was maintained on the third-party communication platform.
- **Privilege Escalation:** Not specified; likely standard exploitation of platform weaknesses at the vendor level.
- **Defense Evasion:** The service itself was allegedly flawed (e.g., sending plaintext logs), meaning standard encryption protections associated with the underlying app (Signal) were bypassed or undermined by the vendor's infrastructure.
- **Credential Access:** Not specified, but message content/logs were accessible.
- **Discovery:** Intelligence gathered from data previously stolen from TeleMessage indicated CBP was a user.
- **Lateral Movement:** Not applicable to the compromised vendor system.
- **Collection:** Message logs were collected by the attackers from the TeleMessage platform.
- **Exfiltration:** Data stolen from the TeleMessage service.
- **Impact:** Exposure of sensitive government communication records archived by the third-party contractor.
## Impact Assessment
- **Financial:** Not disclosed, but costs likely include investigation, potential litigation, and necessary replacement of secure communication systems.
- **Data Breach:** Sensitive communications involving high-ranking officials were potentially exposed due to the vendor's lack of security assurance.
- **Operational:** CBP immediately disabled the platform, requiring users to switch communication methods quickly.
- **Reputational:** Damage to CBP and the security perception of communications used by high-level government officials exposed through a compromised non-approved product.
## Indicators of Compromise
- *Note: Since the incident relates to a third-party vendor breach, specific IoCs are likely tied to the TeleMessage infrastructure, which are not detailed in the provided text.*
- **Network indicators:** TeleMessage service suspension/outage may serve as an indicator that services related to communication archiving from this vendor are compromised.
- **File indicators:** Evidence of plaintext message logs being accessible or exfiltrated from the TeleMessage archival service.
- **Behavioral indicators:** Unauthorized access to the TeleMessage communication archive infrastructure.
## Response Actions
- **Containment measures:** CBP immediately disabled its use of the TeleMessage platform.
- **Eradication steps:** The investigation into the scope of the breach is ongoing; TeleMessage/Smarsh suspended all services pending investigation.
- **Recovery actions:** CBP must secure alternative, compliant communication methods.
## Lessons Learned
- **Key takeaways:** Federal contractors providing critical communication archiving solutions must meet stringent security standards (e.g., FedRAMP authorization). Using commercial tools cloned from consumer messaging apps for sensitive government data introduces significant, unmanaged risk.
- **What could have been done better:** CBP should have verified compliance (TeleMessage products are reportedly not FedRAMP authorized) before deploying the service for official communications.
## Recommendations
- Immediately phase out the use of all third-party communication archiving solutions that lack full FedRAMP authorization for handling sensitive government data.
- Conduct a full audit of all deployed vendor communication software to ensure adherence to established security baselines, especially concerning encryption and data storage practices.
- Review policies surrounding the use of cloned/modified consumer applications for official government business.