Full Report
The communications app TeleMessage, which was spotted on former US national security adviser Mike Waltz's phone, has suspended “all services” as it investigates reports of at least one breach.
Analysis Summary
# Incident Report: TeleMessage Service Breach Affecting US Officials Communication Platform
## Executive Summary
The communications application TeleMessage (a Signal clone used by high-ranking US officials) suspended all services following reports of a security breach where hackers claimed to have stolen data from the platform. This incident is significant because the service’s primary feature—archiving communications—is understood to undermine the end-to-end encryption of the underlying Signal protocol. The response involved the temporary shutdown of all TeleMessage services to contain the incident while an external cybersecurity firm investigates.
## Incident Details
- **Discovery Date:** Sunday (Reports surfaced from 404 Media and Micah Lee)
- **Incident Date:** Preceding Sunday/Monday (Reports of breach confirmed around Sunday/Monday)
- **Affected Organization:** TeleMessage (owned by Smarsh)
- **Sector:** Communications Technology, Government Services (Implied due to users)
- **Geography:** Not explicitly stated, company founded in Israel.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to Sunday reports.
- **Vector:** Unspecified hacking/breach of the TeleMessage platform.
- **Details:** Hackers claimed to have breached the application, stealing data. NBC News later reviewed evidence of an *additional* breach.
### Lateral Movement
- **Details:** Not detailed in the summary, implied movement within the TeleMessage infrastructure facilitated data theft.
### Data Exfiltration/Impact
- **Details:** Reports indicate hackers stole data from the application. The primary impact stems from the compromising of communications that officials believed were secured by Signal's encryption levels, due to TeleMessage's mandatory archiving feature.
### Detection & Response
- **How it was discovered:** Reports by 404 Media and independent journalist Micah Lee on Sunday, followed by confirmation/further evidence reported by NBC News on Monday.
- **Response actions taken:** TeleMessage suspended “all services” immediately upon detection and engaged an external cybersecurity firm to support the investigation.
## Attack Methodology
- **Initial Access:** Unspecified breach/hacking of TeleMessage servers/infrastructure.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Data gathering from user communications stored on the platform.
- **Exfiltration:** Data theft facilitated by the initial breach.
- **Impact:** Compromise of communications belonging to high-ranking officials, undermining perceived security.
## Impact Assessment
- **Financial:** Not detailed.
- **Data Breach:** Communications data belonging to high-ranking US officials (including Mike Waltz, JD Vance, Tulsi Gabbard, and Marco Rubio) was potentially compromised due to the archiving feature overriding Signal encryption.
- **Operational:** TeleMessage temporarily suspended "all services."
- **Reputational:** Negative publicity for TeleMessage and the officials using the non-standard, log-keeping version of Signal.
## Indicators of Compromise
- **Network indicators:** None specified/defanged.
- **File indicators:** None specified.
- **Behavioral indicators:** Unauthorized access leading to data theft.
## Response Actions
- **Containment measures:** TeleMessage temporarily suspended "all services" immediately upon detection.
- **Eradication steps:** External cybersecurity firm engaged to support the investigation.
- **Recovery actions:** Investigation ongoing; service suspension is a precautionary measure.
## Lessons Learned
- **Key takeaways:** Communication software chosen for its purported security (Signal) can have its security fundamentally undermined by enterprise management layers (TeleMessage's mandatory archiving).
- **What could have been done better:** Officials utilizing highly sensitive communications should adhere strictly to vetted, standard, end-to-end encrypted platforms without administrative logging features unless absolutely necessary and understood.
## Recommendations
- Organizations should verify the security implications of "enterprise" or "archived" versions of normally secure consumer applications, as features like mandatory logging negate core security benefits like end-to-end encryption.
- Implement strict protocols mandating the use of officially vetted, standard communication tools for classified or sensitive government communication.