WASHINGTON — Cybersecurity investigators noticed a highly unusual software crash — it was affecting a small number of smartphones belonging to people who worked in government, politics, tech and journalism.
A child holds an iPhone at an Apple store Sept. 25, 2015, in Chicago.
The crashes, which began late last year and carried into 2025, were the tipoff to a sophisticated cyberattack that may have allowed hackers to infiltrate a phone without a single click from the user.
The attackers left no clues about their identities, but investigators at the cybersecurity firm iVerify noticed that the victims all had something in common: They worked in fields of interest to China's government and were targeted by Chinese hackers in the past.
Foreign hackers have increasingly identified smartphones, other mobile devices and the apps they use as a weak link in U.S. cyberdefenses. Groups linked to China's military and intelligence service have targeted the smartphones of prominent Americans and burrowed deep into telecommunication networks, according to national security and tech experts.
People are also reading…
It shows how vulnerable mobile devices and apps are and the risk that security failures could expose sensitive information or leave American interests open to cyberattack, those experts say.
Hackers can now steal passwords over Zoom using the help of AI. A new study reveals that artificial intelligence can steal passwords with a 93…
“The world is in a mobile security crisis right now,” said Rocky Cole, a former cybersecurity expert at the National Security Agency and Google and now chief operations officer at iVerify. “No one is watching the phones.”
U.S. authorities warned in December of a sprawling Chinese hacking campaign designed to gain access to the texts and phone conversations of an unknown number of Americans.
“They were able to listen in on phone calls in real time and able to read text messages,” said Rep. Raja Krishnamoorthi of Illinois. He is a member of the House Intelligence Committee and the senior Democrat on the Committee on the Chinese Communist Party, created to study the geopolitical threat from China.
Chinese hackers also sought access to phones used by Donald Trump and running mate JD Vance during the 2024 campaign.
The Chinese government denied allegations of cyberespionage and accused the U.S. of mounting its own cyberoperations. It says America cites national security as an excuse to issue sanctions against Chinese organizations and keep Chinese technology companies from the global market.
“The U.S. has long been using all kinds of despicable methods to steal other countries’ secrets,” Lin Jian, a spokesman for China’s foreign ministry, said at a recent press conference in response to questions about a CIA push to recruit Chinese informants.
U.S. intelligence officials have said China poses a significant, persistent threat to U.S. economic and political interests, and it has harnessed the tools of digital conflict: online propaganda and disinformation, artificial intelligence and cyber surveillance and espionage designed to deliver a significant advantage in any military conflict.
Mobile networks are a top concern. The U.S. and many of its closest allies have banned Chinese telecom companies from their networks. Other countries, including Germany, are phasing out Chinese involvement because of security concerns. But Chinese tech firms remain a big part of the systems in many nations, giving state-controlled companies a global footprint they could exploit for cyberattacks, experts say.
Attendees walk past an electronic display showing recent cyberattacks in China at the China Internet Security Conference on Sept. 12, 2017, in Beijing.
Chinese telecom firms still maintain some routing and cloud storage systems in the U.S. — a growing concern to lawmakers.
“The American people deserve to know if Beijing is quietly using state-owned firms to infiltrate our critical infrastructure,” U.S. Rep. John Moolenaar, R-Mich. and chairman of the China committee, which in April issued subpoenas to Chinese telecom companies seeking information about their U.S. operations.
Mobile devices can buy stocks, launch drones and run power plants. Their proliferation has often outpaced their security.
The phones of top government officials are especially valuable, containing sensitive government information, passwords and an insider's glimpse into policy discussions and decision-making.
The White House said last week that someone impersonating Susie Wiles, Trump’s chief of staff, reached out to governors, senators and business leaders with texts and phone calls.
It’s unclear how the person obtained Wiles’ connections, but they apparently gained access to the contacts in her personal cellphone, The Wall Street Journal reported. The messages and calls were not coming from Wiles’ number, the newspaper reported.
While most smartphones and tablets come with robust security, apps and connected devices often lack these protections or the regular software updates needed to stay ahead of new threats. That makes every fitness tracker, baby monitor or smart appliance another potential foothold for hackers looking to penetrate networks, retrieve information or infect systems with malware.
Federal officials launched a program this year creating a “cyber trust mark” for connected devices that meet federal security standards. But consumers and officials shouldn’t lower their guard, said Snehal Antani, former chief technology officer for the Pentagon’s Joint Special Operations Command.
It doesn't matter how secure a mobile device is if the user doesn't follow basic security precautions, especially if their device contains classified or sensitive information, experts say.
China and other nations will try to take advantage of any lapses, and national security officials must take steps to prevent them from recurring, said Michael Williams, a national security expert at Syracuse University.
“They all have access to a variety of secure communications platforms,” Williams said. "We just can't share things willy-nilly.”
How federal rules on cybersecurity breach transparency for businesses were challenged in court in 2024
How federal rules on cybersecurity breach transparency for businesses were challenged in court in 2024
In October, four companies collectively paid nearly $7 million as part of a settlement with the Securities and Exchange Commission for allegedly failing to properly inform investors of a cyberbreach affecting their companies, a liability American businesses have not previously faced.
The companies were compromised in a cyberattack targeting their IT software provider in 2019. The attackers could insert a backdoor into a software update, circumventing existing security measures like encryption and authentication. The update was pushed out to potentially tens of thousands of customers, giving the attackers access to information held by those customers, which included government agencies.
That hack will stand apart from the last decade of data breach incidents in more than just its scale—its aftermath created a sandbox of sorts for testing new rules aimed at companies and intended to protect investors. It was how the four companies acted in the aftermath of the attack that drew the attention of regulators keen to exercise new rules intended to force transparency from companies affected by breaches.
Drata examined the SEC's cybersecurity disclosure rules and the court cases that have tested the agency's authority over corporate cyber practices this year to compile the latest legal commentary and expectations for businesses going into 2025. Overall, the SEC's new cybersecurity rules are meant to increase transparency about these incidents from publicly traded companies and expedite its communication more broadly to the public. Though the onus of work is on companies, consumers stand to benefit. Information that is more transparent and readily available can help inform their investment decisions.
The wide-ranging impact of a breach
Cybersecurity breaches can affect businesses, their investors, and, of course, the privacy and security of consumers, who are often embroiled in cybercrimes whether they know it or not. A 2022 survey of 1,000 American adults by cybersecurity company Varonis found that over 3 in 5 Americans (64%) had never checked to see whether they'd been affected by a data breach.
One University of Maryland study found that cyberbreaches occur nearly constantly—every 39 seconds, on average. They're expensive to deal with too.
The average data breach costs a company $4.9 million in either lost business, ransom payment, or cleanup and mitigation, according to IBM's Cost of a Data Breach report for 2024. Too often, they aren't disclosed to the public, despite their potential for harm. Security software provider Arctic Wolf's 2023 annual report found that 7 in 10 companies (72%) that experienced a data breach did not disclose it.
The complexity of the 2019 breach, the time it took to identify, and the vulnerability it created for federal government agencies, including the Department of Homeland Security, only increased the pressure on officials to enforce existing regulations in court.
The SEC filed charges against SolarWinds and its chief information security officer, Timothy G. Brown, and several of the companies involved in its 2019 cyberbreach, applying those new rules to American companies for the first time. The case against SolarWinds alleged it misled investors about its cybersecurity practices in the years leading up to the attack.
In a statement accompanying the announcement of the new rules in early 2023, SEC chair Gary Gensler likened data breaches at publicly traded companies to a fire at a company-owned facility, arguing that these occurrences are consequential to investors and other stakeholders and thus deserve to be shared transparently through SEC filings.
"Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them," Gensler said.
Partners working in international law firm Holland & Knight's cybersecurity practice dubbed the charges against SolarWinds a "landmark" case that would test the SEC's power to impose rules that would "likely create significant compliance challenges as well as litigation and enforcement risks for public companies."
Although four of the charged companies settled with the agency, most filed by the SEC against SolarWinds and its executive under its new rules were dismissed in July, dealing a blow to the agency's ability to regulate corporate cybersecurity transparency, according to legal experts. It's just one of several instances in the Biden administration where federal regulators have been stymied by courts in their attempts to expand their authority over major corporations.
The wide-ranging impact of a breach
Cybersecurity breaches can affect businesses, their investors, and, of course, the privacy and security of consumers, who are often embroiled in cybercrimes whether they know it or not. A 2022 survey of 1,000 American adults by cybersecurity company Varonis found that over 3 in 5 Americans (64%) had never checked to see whether they'd been affected by a data breach.
One University of Maryland study found that cyberbreaches occur nearly constantly—every 39 seconds, on average. They're expensive to deal with too.
The average data breach costs a company $4.9 million in either lost business, ransom payment, or cleanup and mitigation, according to IBM's Cost of a Data Breach report for 2024. Too often, they aren't disclosed to the public, despite their potential for harm. Security software provider Arctic Wolf's 2023 annual report found that 7 in 10 companies (72%) that experienced a data breach did not disclose it.
The complexity of the 2019 breach, the time it took to identify, and the vulnerability it created for federal government agencies, including the Department of Homeland Security, only increased the pressure on officials to enforce existing regulations in court.
The SEC filed charges against SolarWinds and its chief information security officer, Timothy G. Brown, and several of the companies involved in its 2019 cyberbreach, applying those new rules to American companies for the first time. The case against SolarWinds alleged it misled investors about its cybersecurity practices in the years leading up to the attack.
In a statement accompanying the announcement of the new rules in early 2023, SEC chair Gary Gensler likened data breaches at publicly traded companies to a fire at a company-owned facility, arguing that these occurrences are consequential to investors and other stakeholders and thus deserve to be shared transparently through SEC filings.
"Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them," Gensler said.
Partners working in international law firm Holland & Knight's cybersecurity practice dubbed the charges against SolarWinds a "landmark" case that would test the SEC's power to impose rules that would "likely create significant compliance challenges as well as litigation and enforcement risks for public companies."
Although four of the charged companies settled with the agency, most filed by the SEC against SolarWinds and its executive under its new rules were dismissed in July, dealing a blow to the agency's ability to regulate corporate cybersecurity transparency, according to legal experts. It's just one of several instances in the Biden administration where federal regulators have been stymied by courts in their attempts to expand their authority over major corporations.
Public disclosure requirements
The federal rules require companies to file several new disclosures in their reports to the SEC. One includes publicly sharing "material" cyber security incidents affecting the company. It requires the company to disclose when the incident happened and whether it is ongoing, a description of it, whether data was accessed or used for any "unauthorized purpose," the effect on operations, and the actions being taken to mitigate the breach.
Once a year, it also requires publicly traded companies to file their 10-K statement with the SEC, including an outline of their processes for assessing and managing any risk that might arise from a cybersecurity threat. The company must also disclose its board of directors' oversight of cybersecurity risks and management's role in assessing and managing them.
In pursuing charges against the four companies that settled, the SEC described those companies' disclosures as "generic" and "not tailored" to specific risks facing the company. Legal firm Davis Polk described the enforcement as "aggressive" and wrote in October that companies "should review their risk factors in light of recent experiences and consider whether updates are warranted." It also noted that media statements made by a company could lead to regulatory repercussions if incomplete or misleading.
In the aftermath of the dismissed charges against SolarWinds, Holland & Knight advised "companies should avoid warning about risks where the warned risk has already occurred" and not include so much specificity that it risks providing a roadmap for would-be attackers.
This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.
