Skip to main content
Emerging Threats

Surveillance campaigns exploit telecom vulnerabilities with commercial tools

Dimly lit telecom hub at night with blurred architecture and infrastructure.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” Citizen Lab researchers Gary Miller and Swantje Lange wrote in a report published Thursday.

What Citizen Lab documented

Researchers at the University of Toronto’s Citizen Lab said they linked, for the first time, “real-world attack traffic to mobile operator signalling infrastructure.” Two unknown parties ran campaigns that tracked targets by mimicking the identities of mobile phone operators, using customized surveillance tools that manipulated signalling protocols and steered traffic through network pathways to hide. The attackers shifted between SS7 and Diameter — the signalling protocols associated with 3G and 4G/most 5G — while relying on identifiers and infrastructure tied to operators across multiple countries, including Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

SS7 and Diameter: signalling protocols at the center

Citizen Lab described a practical exploitation of both SS7 and Diameter. While Diameter was designed to address weaknesses in SS7, the report notes both protocols were used in the campaigns. The Federal Communications Commission opened a probe in 2024 into vulnerabilities rooted in both SS7 and Diameter, and Sen. Ron Wyden, D-Ore., has asked the Cybersecurity and Infrastructure Security Agency for a report about telecommunications vulnerabilities related to the two protocols.

Operators named in the report and their responses

The report associated attack activity with operator identifiers and infrastructure linked to several named providers. Israel-based 019 Mobile told Citizen Lab it did not recognize the hostnames referenced in the report as nodes on its network and said it could not attribute the signaling activity to 019 Mobile-operated infrastructure. Sure told TechCrunch that it “doesn’t knowingly lease access to signalling to organizations using it to track individuals,” and that it has taken preventative measures to defend against misuse. Citizen Lab said Sure, 019 Mobile and a third operator, Tango Networks UK, did not respond to requests for comment from CyberScoop.

Why attribution remained out of reach

The researchers were clear that identifying the surveillance vendors or the campaign operators proved beyond their reach. Ron Deibert, director of Citizen Lab, wrote that the opaque nature of telecommunications signalling protocols allows vendors and bad actors to blend malicious traffic into the vast volume of legitimate roaming signals. “They are ‘ghost operators’ within the global telecom ecosystem,” he wrote. The report also cautioned that observed operator signalling addresses do not necessarily imply direct operator involvement: access to signalling can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that let actors send messages using legitimate operator identifiers.

What this means for technologists, policymakers, and end users

  • Technologists and security teams: Watch signalling interfaces and inter-operator routing. Citizen Lab’s linkage of attack traffic to operator signalling infrastructure underscores risks where third-party access, leased signalling, or intermediary services exist; defenders will need to consider those pathways when detecting and containing abuse.
  • Policymakers and regulators: Expect pressure to address oversight and accountability. Citizen Lab framed the problem as a systemic one that “raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security,” and the FCC’s 2024 probe plus Sen. Ron Wyden’s request to CISA indicate the issue has attracted formal scrutiny.
  • End users and the public: The report points to a vulnerability baked into an inter-operator trust model used for international connectivity. Citizen Lab warned that despite repeated public reporting, the activity continues “unabated and without consequence,” leaving users reliant on operator assurances and technical controls they may not see or be able to validate.

Citizen Lab’s work ties observable, covert tracking campaigns to the very signalling fabric carriers use to make mobile networks interoperate internationally. The researchers could not trace the activity to named surveillance vendors or definitive operators, but their findings underline a tension: infrastructure designed to enable seamless roaming and connectivity can also be repurposed, via intermediaries or leasing arrangements, to carry covert surveillance without easy detection or attribution. As regulators probe SS7 and Diameter and lawmakers press agencies for assessments, the unanswered practical question is whether the inter-operator trust model can be hardened in ways that prevent “ghost operators” from exploiting it — or whether the pathways that made global mobile service possible will keep offering cover for covert tracking.

https://cyberscoop.com/surveillance-campaigns-use-commercial-surveillance-tools-to-exploit-long-known-telecom-vulnerabilities/