Global Telecom Networks Exploited by Secret Surveillance Campaigns Using Commercial Tools

Surveillance Campaigns Exploit Telecom Vulnerabilities Using Commercial Tools

Two previously unknown surveillance campaigns have been tracked exploiting vulnerabilities in mobile phone networks, according to researchers at the University of Toronto’s Citizen Lab. The campaigns used commercial surveillance tools to mimic mobile operators, manipulate signaling protocols, and redirect traffic through network pathways to conceal their activities. This is the first documented case linking "real-world attack traffic to mobile operator signalling infrastructure," the report states.

"Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate."

Citizen Lab report, published Thursday

Gary Miller and Swantje Lange of Citizen Lab emphasized the ongoing nature of this threat: "Despite repeated public reporting, this activity continues unabated and without consequence." They warned that the continued reliance on mobile networks, built on a trust model among operators, raises critical questions for regulators, policymakers, and the telecom industry regarding accountability, oversight, and global security.

Attackers Targeted Networks Across 17 Countries

The attackers exploited identifiers and infrastructure associated with mobile operators worldwide, including networks in:

• Cambodia
• China
• Jersey (self-governing island)
• Israel
• Italy
• Lesotho
• Liechtenstein
• Morocco
• Mozambique
• Namibia
• Poland
• Rwanda
• Sweden
• Switzerland
• Thailand
• Uganda
• United Kingdom

The campaigns shifted between SS7 and Diameter protocols, signaling protocols used in 3G and 4G/most of 5G networks, respectively. While Diameter was intended to be more secure than SS7, the Federal Communications Commission (FCC) launched a probe in 2024 into vulnerabilities in both protocols. Senator Ron Wyden, D-Ore., has also requested a report from the Cybersecurity and Information Security Agency (CISA) on telecommunications vulnerabilities tied to these protocols.

Identifying Attackers Remains a Challenge

Researchers were unable to determine the vendors used in the campaigns or the identities of those behind them. Ron Deibert, director of Citizen Lab, explained the difficulty in attributing such attacks: "The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are."

"Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem."

Ron Deibert, Director of Citizen Lab

Telecom Operators Respond to Findings

The Citizen Lab report noted that the observed operator signaling addresses do not necessarily imply direct operator involvement. However, some operators have responded to the findings:

• 019 Mobile (Israel): Stated it did not recognize the hostnames referenced in the report as belonging to its network nodes and could not attribute the signaling activity to its infrastructure.
• Sure (UK-based operator): Confirmed it does not knowingly lease access to signaling to organizations using it to track individuals and has implemented preventative measures to prevent misuse.
• Tango Networks UK: Did not respond to requests for comment.

The report acknowledged the complexity of the issue, stating: "It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement."