Why a mobile-focused APT could be behind John Kelly’s phone troubles
Earlier this month, news broke that White House Chief of Staff John Kelly’s personal mobile device was reportedly compromised, according to a memo acquired by Politico. I believe there’s a significant enough chance that he was attacked, not by a run-of-the-mill attacker, but by a mobile-focused Advanced Persistent Threat (mAPT) — that is, a nation-state or other highly resourced espionage-focused cyberattacker.
What we know
Kelly reportedly submitted his personal mobile device into U.S. government tech support “complaining that it wasn’t working or updating software properly,” according to the Politico report. That story comes from a memo created by White House aides and circulated throughout the administration.
There is a chance that the device had been compromised for months while in Kelly’s possession, though the report states that Kelly did not use his personal device for White House purposes.
While this may be true, a nation-state still has a lot to gain if it attacked and successfully compromised a device belonging to someone who has been in Trump’s inner circle. Using a targeted surveillanceware attack, a malicious actor would be able to control the mobile device’s microphone, listening into private conversations inside the White House or elsewhere; turn on the camera to take pictures of the surrounding area; and stealing information flowing through the device. A malicious actor could effectively turn the phone into a recording device that can be used to “bug” whatever room Kelly took it into.
All this means that whether or not Kelly actually used the compromised device for work, the very presence of the device — in the White House or anywhere he may be having sensitive conversations — became a threat to his privacy and security. And, because of his roles, a threat to national security.
Why this could be a nation-state
If the report is accurate and his device was not updating correctly, that is the major indicator that an advanced attacker could be responsible. Control over the microphone, camera, and other data stealing capabilities are all classic surveillanceware tactics used by spray-and-pray (i.e., non-targeted) actors everywhere. But installing features that prevent the phone from updating its software, however, is something more. This is especially true if the device is an iPhone, as has been speculated.
We saw this kind of functionality with Pegasus, a highly sophisticated mobile threat Lookout discovered with Citizen Lab in August 2016, targeting primarily political dissidents and journalists. Pegasus completely compromised the device, gaining deeper control over the operating system, and disabled the update mechanisms in order to stay on the device.
Such a move denotes far more maturity and forethought than most surveillanceware operators have. It means that the operators have a specific mission in mind, and likely a specific target as well. The operators would have a sincere interest in making sure the device stays in their control.
Achieving this kind of persistent device compromise is not an easy task. Nation-states often have the resources as well as the motivation to launch and maintain these kinds of cyberattacks.
How it could have gotten on the device
As is the case with most targeted cyberattacks these days, phishing is likely how Kelly’s phone was compromised. On mobile devices, phishing tends to manifest as messages sent through any number of communications apps whether generic SMS or Messages apps that come with the platform or newer social messengers like WhatsApp, WeChat, Snapchat or Facebook Messenger. These phishing messages usually lead to a website or contain an attachment that that can compromise a device, or recommend that the target install an application on the device.
Exploiting personal devices and accounts is a popular method for attacking high-value targets like Kelly. For starters, personal devices are less likely to have security software installed that would alert the victim to an attack. Furthermore, phishing can be most effective when taking advantage of personal details and delivered to a personal device.
For example, in the case of Pegasus, we observed the following phishing message, “New secrets about torture of Emiratis in state prisons,” which was extremely relevant to the target. Citizen Lab identified a phishing message to one of the Mexican targets stating, “Mr. Simon, [daughter’s name] was just in an accident, she is in grave condition, I hope can you come, here is where she is hospitalized.” When the victim clicked the link (presumably with directions to the hospital), it compromised the device in the background.
What the White House should do now
If reports are true, tech support has already confiscated the device and likely removed its access from the internet.
In addition, White House tech staff should investigate all the phones around John Kelly — his inner circle and perhaps even a couple hops outside of his circle — auditing them for suspicious text messages and apps. They should also perform initial forensics on the devices to look for any indications of compromise and install software that looks for compromise, in the same way that they would install AntiVirus/AntiMalware software on his computer.
Any government employee close to the incident should monitor their own devices for weird behavior and report questionable messages.
It’s never been clearer that nation-state attackers are incorporating mobile device compromise into their broader espionage campaigns. High value targets in government or private enterprise should treat their mobile devices as computers that nation-states are actively looking to attack.
Mike Murray is Vice President of Security Research and Response at Lookout.