Messaging Hack Hints at Broader U.S. Cybersecurity Weakness

A messaging app used by now-former national security advisor Mike Waltz has been hacked, prompting questions about the current Trump administration’s capability to manage its cybersecurity technology.

On the same day that President Trump called movies produced outside the U.S. “a National Security threat” on Truth Social, the technology journalism site 404 Media reported that the messaging app Waltz apparently uses on his phone was hacked.

According to 404 Media, which says it obtained proof of the hacker’s actions, messages about Coinbase, the U.S. Customs and Border Protection agency, and “other financial institutions” was obtained, along with a list of users messaged by Waltz, including Vice President JD Vance, Secretary of State Marco Rubio, and Director of National Intelligence Tulsi Gabbard. Reportedly, the messages between Waltz and these officials weren’t hacked.

Sensitive Data Exposed

News of the hack comes just days after Reuters published a photo that appeared to show Waltz using an app called TeleMessage, which is a clone of the Signal application, a government-approved app that got Waltz and his team into hot water in March.

At that time, Waltz or someone he worked with inadvertently added Atlantic Editor-in-Chief Jeffrey Goldberg to a top-level-security group chat. Subsequently, another user of Signal, Defense Secretary Pete Hegseth, shared details of the chat about a Yemen attack by U.S. forces with his wife, brother, and personal attorney.

With TeleMessage, the problem may be more than one of judgement. TeleMessage’s fork of Signal involves circumventing the encryption that Signal requires when sending messages to a storage archive. Reportedly, the security in TeleMessage is so weak that the hacker who cracked TeleMessage was able to do so within thirty minutes.

TeleMessage is an Israeli firm owned by Smarsh, a SaaS company headquartered in Portland, Oregon, that specializes in archiving sensitive electronic communications data for regulatory compliance. Smarsh competes with Archive360, Arctera, Microsoft, Proofpoint, and similar firms.

There was no reply as of this writing to a request for comment from Smarsh about the TeleMessage hack.

TeleMessage’s site, except for its homepage, appears to have been taken offline.

A Systemic Pattern?

If the TeleMessage hack proves authentic, it’s yet more evidence that cybersecurity awareness isn’t up to par in the new administration. If the Signal chat problem revealed poor personal judgment, the TeleMessage debacle shows that officials at the highest level are opting for questionable cybersecurity solutions in situations that call for top security. Worse, the officials in question, such as Waltz, have been entrusted with national security decision-making.

The problem could be linked to a disregard for any cybersecurity help that doesn’t originate within the Trump administration. Despite saying last August that its emails had been hacked by Iranian cybercriminals, the Trump team refused when it assumed power to sign up for the customary General Services Administration’s IT and cybersecurity services. Those services are traditionally offered to all incoming administrations during a transfer of power. The Trump team said that its IT was self-funded and didn’t require the services of the government, which it feared would tamper with its agenda by putting “moles” in the IT transition team to figure out what the incoming government would be doing.

According to Federal News Network, Heath Brown, an associate professor of public policy at the John Jay College of Criminal Justice, who assisted the 2016 incoming Trump team transition, said the following about the current administration’s refusal to sign on for cybersecurity assistance:

“I think if they were to offer one piece of advice to the Trump transition team, it would be to pay very, very close attention to the cybersecurity infrastructure that the transition team is using…. Turning down cooperation with the GSA would also be turning down some of the cybersecurity expertise of the federal government. To go at this alone, without the aid of GSA and the technology expertise around cyber, would be, I think, a very risky decision.”

In the end, Trump’s team refused the GSA services, which included the government’s security gear and guidelines for best security practices. Subsequent cuts, especially at the Cybersecurity and Infrastructure Security Agency (CISA), alarmed many observers.

Much of the government's problem with cybersecurity appears to be based on human error. Sadly, those humans making the errors are at the top levels of security policy. The Trump administration could, however, choose to make this an opportunity not only to take a close look at the products it's using but at the need for organizational policy education and control. Given the government's stance on any resistance or outside criticism, however, chances of that may be slim.

Futuriom Take: Recent news of a messaging app hack put the White House in the frame for disregarding personal cybersecurity education about policies and procedures. Whether the administration takes the hint or passes the blame remains to be seen.