Bad Connection Uncovering Global Telecom Exploitation by Covert Surveillance Actors

Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors

In recent years, several investigations have exposed vulnerabilities in the mobile telecommunications ecosystem and how government security agencies have exploited them to track targets abroad while roaming. In late 2024, Citizen Lab launched an investigation into coordinated location-tracking activity following the identification of a series of unusual events in mobile signalling firewall logs and further intelligence provided by Cellusys. What initially appeared to be an isolated incident targeting a single mobile subscriber led to a broader investigation that uncovered campaigns by two distinct Covert Surveillance Vendors (CSVs) conducting long-term espionage operations by exploiting the global telecommunications ecosystem. Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate. 🚀

The first campaign, observed in November 2024, involved a multi-stage effort to track a high-profile mobile subscriber using multiple 3G and 4G networks. Information provided by the targeted user’s network operator indicated that the mobile number belonged to a well-known company executive, further described as a “VVIP.” This context indicated that the user was a high-value surveillance target. In early 2025, an additional coordinated-tracking event was identified, with the use of a specially formatted SMS message. While technically distinct, both campaigns demonstrated advanced, highly structured, and repeated methods consistent with purpose-built surveillance platforms. This analysis identified 4G infrastructure associated with operator networks based in Israel, the United Kingdom, and the Channel Islands. Notably, in prior public reporting these same countries have been linked to CSVs targeting mobile users. It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement. In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks. While we do not directly attribute the attacks in this report to a specific government or organization, several indicators point towards the likely involvement of a commercial surveillance platform supporting state-sponsored intelligence activities. 🔍

The system connecting mobile operators around the world for international travel and mobile services uses protocols consisting of a blend of SS7, known for older 3G networks, and Diameter for 4G and most 5G networks. Together, this blended signalling ecosystem of vulnerable protocols creates additional opportunities for surveillance actors. These vulnerabilities are not the result of software bugs or network misconfigurations; rather, they are inherent to global telecommunications design and business practices. The root of the security problem lies in the foundational signalling protocols themselves. SS7 protocols lack the basic security mechanisms of IP networks, such as authentication and validation to verify the source of signalling messages, integrity checks to ensure that data has not been altered, and encryption to protect its contents. The Diameter protocol was designed with stronger security controls than SS7, introducing security components to address inherent signalling vulnerabilities. However, in practice, operators have largely failed to implement these protections and instead continue to rely on the same peer-to-peer trust model that plagues SS7. As a result, security research has shown that 4G networks remain vulnerable to many of the same user-targeted surveillance techniques associated with 3G. Attackers with knowledge of IR.21 data can exploit it to identify network elements or create signalling messages that appear legitimate within the global telecommunication ecosystem. Actors who gain access to the global signalling ecosystem, whether through commercial arrangements with mobile operators, compromised telecom nodes, or control of telecom networks, can send signalling commands to networks around the world. 🌐

To read the complete article see: Read full article