Security

As Government’s Mobile Usage Grows, So Do Cyberthreats

Nation-states’ mobile malware capabilities are evolving to exploit the modern kill chain.

Jim Coyle is public sector CTO at Lookout.

Agencies can enhance their cybersecurity defenses against future attacks by analyzing how attackers target federal employees’ mobile devices using the modern kill chain.

Phishing and social engineering attacks targeting federal mobile devices will become even more prevalent as nation-states’ mobile malware capabilities evolve.

Threat actors, via a pathway known as the modern kill chain, have long identified mobile devices as an effective way to steal federal employee credentials and infiltrate networks. In October, the Cybersecurity and Infrastructure Security Agency revealed that the Chinese hacking group Salt Typhoon successfully infiltrated several major U.S. telecommunications companies. While the extent of stolen and compromised information remains unclear, attackers targeted the mobile phones of several high-ranking government officials and politicians.

In response, CISA released the Mobile Communications Best Practice Guidance, explicitly addressing “highly targeted” individuals with access to information of interest to the threat actors. Meanwhile, two senators accused the Department of Defense of failing to protect military communications amid the ongoing breach.

What’s more, a Chinese state-sponsored threat actor is suspected of targeting the U.S. Treasury late in 2024. Separately, the Library of Congress discovered in November 2024 that foreign hackers successfully accessed sensitive emails between its employees and congressional staffers as part of a suspected phishing attack.

Click the banner below to begin developing a comprehensive cyber resilience strategy.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

Why So Many Mobile Attacks Succeed

The modern kill chain pathway begins with reconnaissance. Attackers learn all they can about the target agency and its employees, primarily via social media, including whether they use a single sign-on page.

Once the attacker has sufficient information, they can take a few approaches. One approach is using widely available phishing kits to mimic agencies’ SSO pages. Detailed social engineering messages, based on research, are then shared with targets via text messages or QR codes.

These attacks are much more likely to succeed because of a combination of factors, including smaller text obscuring threat details; a general lack of traditional endpoint protections for mobile; and an extensive ecosystem of mobile email and messaging applications. Victims fill out the fake SSO page with their real credentials, granting attackers access to the network. Once inside, the threat actor will try to expand their access into other apps and systems.

Alternatively, threat actors can send phishing messages containing malicious links that exploit browser vulnerabilities to install malicious code on the device. The commoditization of advanced malware and the ready availability of Malware as a Service kits make creating these codes an easy task for attackers. Lookout found that 60% of mobile devices run on vulnerable operating systems; if a target clicks on one of these links, attackers are very likely to successfully install malicious code and gain free rein to harvest all device activity.

High-profile phishing and social engineering attacks targeted political figures at all levels of government in 2024, including the campaigns of former Vice President Kamala Harris and President Donald Trump. That trend is expected to continue in 2025, given the government’s emphasis on integrating mobile devices into systems and workflows.

For example, efforts to use mobile devices as digital IDs are becoming more prevalent, with more than 15 states adopting them, according to the American Association of Motor Vehicle Administrators.

These efforts undoubtedly help improve citizens’ experience, as 97% of Americans under 50 own a smartphone, according to the Pew Research Center, but agencies must ensure that cyberthreats are being considered.

Preparing Agencies for a Mobile Future

Many federal officials still believe that, if mobile workloads are sandboxed, breaches won't have a significant impact. However, traditional commercial surveillance won't stop things such as screenshots, data exfiltration or the compromise of an employee's mobile device.

Mobile endpoint detection and response solutions help defend the devices themselves, whether managed or unmanaged, by blocking risky third-party app behaviors and alerting administrators to vulnerable operating systems or overly permissive apps. Mobile EDR also enhances visibility into cyber events by allowing agencies to reconstruct the attack chain.

Meanwhile, mobile threat defense solutions significantly improve agencies’ visibility into their attack surface and help streamline response efforts. These solutions provide customized mobile threat intelligence to assist IT teams in proactively identifying and mitigating vulnerabilities.

Beyond solutions, policies that define and enforce consequences for such attacks must also be implemented. Without a definitive line in the sand to deter threat actors with harsh repercussions, these attacks will become more frequent and increase both in damage and sensitive data obtained.

In tandem, agencies should continue to encourage education about the security risks associated with mobile identity, helping ensure a comprehensive understanding of the risk. Through combined efforts with CISA, robust mobile threat solutions and cultural shifts that acknowledge the growing cyber risks of mobile devices, agencies can proactively protect employee devices and defend sensitive government data from evolving adversarial threats and cybercriminals — ensuring the safety of citizens and the success of government missions.

Tippapatt/Getty Images