Full Report
Swantje Lange spoke with the Hasso Plattner Institut about sophisticated surveillance campaigns being used to exploit mobile networks. The post Researchers Uncover Espionage in Mobile Networks appeared first on The Citizen Lab.
Analysis Summary
# Incident Report: Covert Espionage and Mobile Network Exploitation
## Executive Summary
Sophisticated surveillance actors are exploiting fundamental vulnerabilities in global mobile network protocols (such as SS7 and Diameter) to conduct covert espionage. These campaigns leverage the inherent opacity and complexity of telecommunications infrastructure to track locations and intercept communications. The impact is a systemic erosion of privacy for high-risk individuals, managed by private surveillance contractors often aligned with state interests.
## Incident Details
- **Discovery Date:** May 2026 (Public reporting)
- **Incident Date:** Ongoing / April–May 2026
- **Affected Organization:** Global Telecommunications Providers / International Journalists / Civil Society
- **Sector:** Telecommunications
- **Geography:** Global (with specific mentions of actors aligned with the People’s Republic of China)
## Timeline of Events
### Initial Access
- **Date/Time:** Persistent/Ongoing
- **Vector:** Exploitation of signaling protocol vulnerabilities.
- **Details:** Attackers gain access to the "Signaling System No. 7" (SS7) or Diameter networks—the backbone of mobile roaming and routing—to send malicious signaling commands.
### Lateral Movement
- **Movement:** Attackers transit from specialized private surveillance contractor networks into the global inter-operator signaling core. This allows them to hop between international carriers to reach targets globally.
### Data Exfiltration/Impact
- **Impact:** Real-time geolocation tracking of mobile devices and potential interception of SMS/voice calls. In related campaigns, actors used impersonation and stolen narratives to target journalists and civil society.
### Detection & Response
- **Detection:** Identified through collaborative research between The Citizen Lab, Hasso Plattner Institut (HPI), and the International Consortium of Investigative Journalists (ICIJ).
- **Response:** Public disclosure of methodologies; advocacy for telecommunications governance reform; identification of state-sponsored private contractors.
## Attack Methodology
- **Initial Access:** Exploitation of trust relationships between mobile operators.
- **Persistence:** Access is maintained via lease agreements with minor carriers or via unauthorized gateways to the signaling core.
- **Privilege Escalation:** Not applicable in a traditional sense; attackers leverage high-level administrative signaling privileges inherent in the protocol.
- **Defense Evasion:** Use of "opaque" network routes and complex signaling sequences that bypass unsophisticated firewalls.
- **Credential Access:** Not explicitly detailed, but often involves the acquisition of Global Titles (GT) or other network identifiers.
- **Discovery:** Passive and active reconnaissance of mobile network routing tables.
- **Lateral Movement:** Inter-operator signaling (roaming interconnects).
- **Collection:** Gathering of Location Services (LCS) data and subscriber metadata (IMSI/TMSI).
- **Exfiltration:** Data is funneled back through the signaling gateway to the surveillance actor’s C2/analysis platform.
- **Impact:** Loss of privacy, physical risk to tracked individuals, and digital transnational repression.
## Impact Assessment
- **Financial:** Not disclosed; typically involves the high cost of surveillance "as a service" paid by state actors to contractors.
- **Data Breach:** High-volume metadata and precise geographic coordinates.
- **Operational:** Minimal disruption to network traffic; the attacks are designed to be "silent" and non-disruptive.
- **Reputational:** Significant damage to public trust in mobile network security and telecommunications governance.
## Indicators of Compromise
- **Network Indicators:** Unusual signaling traffic (e.g., Provide Subscriber Info [PSI] messages) originating from unexpected Global Titles (GTs) or non-roaming partners.
- **File Indicators:** N/A (Attack is protocol-based rather than malware-based).
- **Behavioral Indicators:** Frequent, unsolicited location queries for specific high-profile subscribers.
## Response Actions
- **Containment:** Implementation of Signaling Firewalls to filter unauthorized SS7/Diameter queries.
- **Eradication:** Revocation of network access for compromised or malicious "lease-to-exploit" carriers.
- **Recovery:** Ongoing policy updates and hardening of mobile core architecture.
## Lessons Learned
- **Key Takeaways:** Mobile networks are inherently "opaque," making them ideal for state-sponsored espionage.
- **Weaknesses:** The transition of surveillance from state-run agencies to private contractors (surveillance-for-hire) complicates attribution and regulation.
## Recommendations
- **Network Hardening:** Deploy next-generation signaling firewalls and implement strict "Home Routing" for all subscriber queries.
- **Governance:** Improve international oversight of how organizations gain access to the global signaling core.
- **User Protection:** High-risk individuals should utilize encrypted messaging apps (e.g., Signal) that bypass the cellular signaling layer for communications.