The Cybersecurity and Infrastructure Security Agency (CISA) has released new best practice guidance to safeguard mobile communications amid rising concerns over cyber espionage activities linked to People’s Republic of China (PRC)-affiliated threat actors.
These malicious actors have been targeting commercial telecommunications infrastructure to intercept call records and compromise the private communications of highly targeted individuals, including senior government officials and political figures.
The guidance, titled “Mobile Communications Best Practice Guidance,” outlines robust recommendations to enhance the security of mobile communications. While the advice benefits all users, it specifically focuses on protecting individuals who are likely to hold sensitive information of interest to cyber threat actors.
Key Highlights of the Guidance
CISA strongly advises individuals, particularly those at high risk of targeting, to assume that all mobile communications—whether on government or personal devices—are vulnerable to interception.
Although no single solution entirely eliminates risk, CISA emphasizes that adopting the outlined best practices can significantly enhance protection.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
General Recommendations for All Users
Here is a table summarizing the recommendations:
| Recommendation | Details |
|---|---|
| Adopt FIDO Authentication | Enable phishing-resistant, hardware-based FIDO methods like Yubico or Google Titan security keys. Enroll in Google’s Advanced Protection Program for Gmail users. |
| Use End-to-End Encrypted Messaging Apps | Opt for secure messaging platforms like Signal, which feature end-to-end encryption. These apps offer enhanced privacy options such as disappearing messages while supporting text, voice, and video communication across different platforms. |
| Avoid SMS-Based MFA | Migrate to safer alternatives like FIDO authentication or authenticator apps, as SMS MFA is vulnerable to interception and phishing. |
| Use a Password Manager | Store complex passwords securely, receive alerts for weak or compromised passwords, and generate unique credentials. |
| Set a Telecom PIN | Add an additional PIN to mobile carrier accounts to reduce risks from SIM-swapping attacks. |
| Update Mobile Software Regularly | Ensure operating systems and apps are up to date by enabling automatic updates. |
| Use the Latest Mobile Hardware | Upgrade to the most recent devices to ensure critical security features are available. |
| Avoid Personal VPNs | Limit VPN use to organizational requirements to avoid increasing the attack surface. |
iPhone-Specific Recommendations
- Enable Lockdown Mode to limit exploitable attack surfaces.
- Disable SMS fallback for iMessage.
- Use iCloud Private Relay to enhance privacy by masking IP addresses and encrypting DNS queries.
- Restrict unnecessary app permissions, such as camera and microphone access.
Android-Specific Recommendations
- Choose devices from manufacturers with long-term security update commitments and features like hardware-level security modules.
- Use Rich Communication Services (RCS) with end-to-end encryption where available.
- Configure Private DNS to trusted providers like Cloudflare or Google and enable Safe Browsing features in Chrome.
- Regularly monitor Google Play Protect for malicious app detection and restrict sensitive app permissions.
A Broader Push for Cybersecurity Awareness
In addition to offering detailed technical instructions, CISA highlights the importance of reporting cyber incidents. Individuals and organizations can report threats or breaches by contacting CISA via phone, email, or its online portal.
This guidance reflects growing concerns about targeted cyberattacks on critical infrastructure, particularly in telecommunications, where vulnerabilities can have widespread implications.
By implementing these recommendations, CISA hopes to reduce risks for highly sensitive individuals and mitigate future threats from sophisticated adversaries.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free