Citizen Lab investigation reveals sophisticated surveillance actors exploiting global telecommunications infrastructure to track individuals across borders, combining network-level attacks with device-level exploits in multi-year campaigns.
The global telecommunications ecosystem, designed to connect billions, has become a covert surveillance platform according to a new investigation by Citizen Lab. The research exposes two distinct, long-running surveillance campaigns that leverage vulnerabilities in mobile network protocols to track targets worldwide, combining network-level attacks with device-level exploits in operations persisting for years.
Multi-Vector Surveillance Campaigns
The investigation identifies two sophisticated surveillance actors operating across global telecommunications networks:
- STA1: A persistent location tracking campaign using both 3G (SS7) and 4G (Diameter) signaling protocols
- STA2: A campaign combining network-level attacks with SIM card exploitation through a technique known as SIMjacker
Both campaigns demonstrate advanced tradecraft, using customized surveillance tooling to spoof operator identities, manipulate signaling protocols, and route traffic through specific interconnect network paths to evade defenses and mask attribution.
Global Infrastructure Exploitation
The attacks leveraged identifiers and infrastructure associated with operators worldwide, including networks based in the UK, Israel, China, Thailand, Sweden, Italy, Liechtenstein, Cambodia, Mozambique, Uganda, Rwanda, Poland, Switzerland, Morocco, Namibia, Lesotho, and the self-governing Island of Jersey.
"The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security," the report states.
Technical Sophistication
STA1: Protocol Manipulation and Routing Deception
STA1 conducted a multi-stage location tracking campaign on November 25, 2024, targeting a high-profile subscriber described as a "VVIP" - likely a company executive. The campaign demonstrated sophisticated understanding of network defenses:
- Phase 1: Reconnaissance attempts using SS7 sendRoutingInfoForSM messages
- Phase 2: Initial location attempts via SS7 protocols using geographically distributed Global Titles from operators in Cambodia, Mozambique, Sweden, Italy, Liechtenstein, and Uganda
- Phase 3: Protocol switching to 4G/Diameter with Insert-Subscriber-Data-Request messages from Tango Networks UK and 019Mobile Israel
- Phase 4: Reversion to SS7 with escalation to anyTimeInterrogation commands
- Phase 5: Final Diameter manipulation using spoofed operator identities
The actor manipulated Diameter message headers, including Origin-Host, Origin-Realm, and Route-Record fields, to conceal the true source of queries and influence routing paths.
STA2: SIM Card as Surveillance Tool
STA2 employed a different approach, combining network-level attacks with device-level exploitation through a malicious SMS that turned the target device into a covert tracking beacon:
- Phase 1: Basic SS7 probing to test network defenses
- Phase 2: Weaponizing SMS with a binary payload exploiting the S@T browser on the SIM card
- Phase 3: Cross-protocol camouflage using Diameter Authentication-Information-Request and location queries
The SMS contained specialized commands for the S@T browser, part of the SIM toolkit (STK), that would have silently collected device location and exfiltrated it back to attacker-controlled infrastructure without any user interaction or visible indication on the device.
Persistent Global Operations
Historical telemetry reveals both campaigns have been active for years:
- STA1 activity dating back to at least November 2022, with over 500 location tracking attempts
- STA2 activity since October 2022, with more than 15,700 location tracking attempts
- Repeated use of the same operator identifiers and routing patterns
"The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security," the report notes.
Gateways to Surveillance
The investigation identifies three mobile networks that repeatedly appear as surveillance entry points:
- 019Mobile (Israel): Used as a proxy node for routing surveillance traffic
- Airtel Jersey/Sure (Channel Islands): Has a history of being linked to telecom surveillance abuses
- Tango Networks UK: Serves as an entry point for 4G location tracking queries
These networks illustrate how access to legitimate operator infrastructure enables international surveillance operations.
Systemic Vulnerabilities
The root of the security problem lies in the foundational signaling protocols themselves. Designed for a trusted community of mobile operators, SS7 protocols lack basic security mechanisms like authentication, validation, integrity checks, and encryption. While the Diameter protocol used in 4G/5G networks has stronger security controls, operators have largely failed to implement them.
"These vulnerabilities are not the result of software bugs or network misconfigurations; rather, they are inherent to global telecommunications design and business practices," the report explains.
Implications for Global Security
The findings expose governance failures across the entire interconnect ecosystem used for critical mobile communications. The global telecom ecosystem can no longer rely on legacy trust models without authentication, enforceable interconnect controls, transparency in commercial network access, and regulatory accountability.
"Mobile networks will continue to serve as a global platform for covert espionage," the report warns, highlighting how the exploitation of telecommunications infrastructure extends beyond individual victims to affect mobile users worldwide.
The Citizen Lab investigation, conducted in collaboration with industry partners including Cellusys, Telenor Linx, Roaming Audit, and P1 Security, demonstrates the urgent need for reforms in how global telecommunications networks are secured and governed in an era of sophisticated state and commercial surveillance.
For the full technical details and methodology, refer to the Citizen Lab report.
Comments
Please log in or register to join the discussion