FBI Warned Agents It Believes Phone Logs Hacked Last Year
FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants, a document reviewed by Bloomberg News shows.
FBI officials told agents across the country that details about their use on the telecom carrier’s network were believed to be among the billions of records stolen, according to the document and interviews with a current and a former law enforcement official. They asked not to be named to discuss sensitive information. Data from all FBI devices under the bureau’s AT&T service for public safety agencies were presumed taken, the document shows.
The cache of hacked AT&T records didn’t reveal the substance of communications but, according to the document, could link investigators to their secret sources. The data was believed to include agents’ mobile phone numbers and the numbers with which they called and texted, the document shows. Records for calls and texts that weren’t on the AT&T network, such as through encrypted messaging apps, weren’t part of the stolen data.
AT&T publicly disclosed the breach in July and said it included six months worth of mobile phone customer data from 2022. The hackers threatened to sell the data unless the telecommunications company paid an extortion fee.
A person with knowledge of the breach, who reviewed a sample of the stolen information, confirmed that it contained records of sensitive FBI communications: the call logs of at least one agent. The person asked not to be named because the information is private.
The FBI’s concern about the hack compromising its secret sources, which hasn’t been previously reported, highlights how data stolen from phone companies has the potential to disrupt criminal investigations and national security. Former agents said it also raises questions about the bureau’s own security practices and how it safeguards its sources. US authorities are still investigating a separate breach of nine telecommunications companies, including AT&T. They blamed Chinese state-backed hackers for those intrusions, which compromised the communications of a number of people in government and politics.
The FBI declined to answer specific questions, including whether the April breach of AT&T compromised sources or investigations, or if the stolen data hassince been secured. “The FBI continually adapts our operational and security practices as physical and digital threats evolve,” the agency said in a statement. “The FBI has a solemn responsibility to protect the identity and safety of confidential human sources, who provide information every day that keeps the American people safe, often at risk to themselves.”
AT&T spokesperson Alex Byers said, “After criminals stole customer data last year, we worked closely with law enforcement to mitigate impact to government operations.” He said the company appreciates law enforcement’s recent arrests for the breach and continues to “increase investments in security as well as monitor and remediate our networks.”
Former FBI and intelligence officials said stolen phone records could in theorybe used by a foreign espionage service to unravel painstakingly assembled source networks, potentially imperiling criminal probes, national security operations and people’s lives.
“Any disclosure of such communications is both significantly detrimental to investigations but also potentially dangerous to confidential informants if their identity is disclosed,” said William Evanina, a retired FBI agent and the former director of the National Counterintelligence and Security Center. “Not good.”
In June, as part of its warning, FBI leaders said an in-house security team found numerous confidential sources whose communication with specific agents’ AT&T phones could be exposed, the document shows. The agency urged immediate action to limit the fallout given the possibility of hackers making the material public, and it reminded some agents to only communicate with informants using approved clandestine methods, it shows.
The AT&T breach was part of a broader series of hacks against users of the software provider Snowflake Inc. In June, Snowflake said hackers had waged a “targeted campaign” against its customers, using stolen credentials to access accounts that hadn’t been protected with multifactor authentication. The hackers broke into the accounts of as many as 165 customers. At AT&T, they stole call and text records from May 1, 2022, to Oct. 31 of that year, according to the phone company.
The Justice Department twice allowed AT&T to delay disclosing the compromise due to the potential risk to national security and public safety. During the delay, the FBI tried to limit the damage done if the data fell into the wrong hands, including analyzing which sources talked or texted with agents over AT&T phones during the relevant time frame, the document shows.
The FBI struck a $92 million deal for AT&T’s FirstNet service in 2020 for its “day-to-day and emergency operations.” The contract was set to last for as many as five years, and the bureau anticipated requiring 70,000 phone lines within the first year, according to records from the US Government Accountability Office.
The FBI also investigated who was behind the AT&T hack. In October, federal prosecutors charged two men, Alexander “Connor” Moucka, a Canadian citizen, and John Erin Binns, a US citizen living in Turkey. The pair are accused of allegedly extorting $2.5 million in cryptocurrency from Snowflake customers and trying to sell the stolen data. Their lawyers didn’t respond to calls and emails seeking comment, and federal court records don’t reflect whether the men have entered pleas.
Last month, a US Army soldier, Cameron John Wagenius, was arrested on charges for allegedly trying to sell confidential phone data belonging to a company, which isn’t identified in court records. The 20-year-old is believed to be behind an online persona who threatened to leak the AT&T data in November, according to Austin Larsen, an analyst with the cybersecurity firm Mandiant.
Wagenius’s court-appointed defense attorney didn’t respond to emails and phone messages seeking comment. Court records don’t indicate whether Wagenius has entered a plea.
A hacker in July claimed that AT&T paid $400,000 to have the stolen data erased, and a person familiar with the negotiations confirmed the extortion fee. AT&T previously declined to comment on the alleged payment.
The company said in its July corporate filing disclosing the breach that it “does not believe that the data is publicly available.” However, it’s unclear whether the records have been secured.
Darren Mott, who oversaw counterintelligence investigations in the FBI’s Huntsville, Alabama, office, said the bureau and other law enforcement and intelligence agencies have likely moved to protect sources based on the assumption that this data will eventually get out.
“From an operational security perspective, it’s a huge problem,” said Mott, who retired from the FBI in 2019, “which, ideally, I think will ultimately result in the bureau changing the structure and the way that they communicate with sources.”
The breach of Snowflake customers shows the danger inherent in storing sensitive data with outside companies, according to some former agents. Miguel Clarke, a former agent in Dallas who retired in 2021, said the FBI’s warning about agents’ communications with confidential informants suggests deeper problems.
“This is an op-sec failure more than a technology failure,” Clarke said, adding that it’s as troubling as an airline having to remind its pilots to “put your landing gear down before landing.”
Photo: Photographer: Samuel Corum/Bloomberg