Global telecom networks are being systematically exploited by covert surveillance actors who leverage unsecured SS7 and Diameter signalling protocols to track targets, intercept communications, and extract location data. A new investigation from the Citizen Lab, conducted in collaboration with Cellusys, Telenor Linx, Roaming Audit, and P1 Security, identifies two distinct campaigns by sophisticated actors using multi-vector techniques that combine 3G and 4G signalling with SMS-based device exploitation.
Overview
The vulnerabilities are not software bugs or misconfigurations—they are inherent to the design of global telecommunications. SS7 and Diameter protocols were built for a trusted community of operators, lacking authentication, integrity checks, and encryption. Despite Diameter's stronger security controls, operators have largely failed to implement TLS or IPsec protections, leaving 4G networks vulnerable to the same surveillance techniques as 3G. The result is a shadowy marketplace where state-backed and commercial surveillance vendors (CSVs) weaponize telecom infrastructure for espionage.
The Two Campaigns
The first campaign, observed in November 2024, targeted a high-profile company executive (described as a "VVIP") using a multi-stage effort across multiple 3G and 4G networks. The second, identified in early 2025, used a specially formatted SMS message containing hidden SIM card commands to extract location information, effectively turning the device into a covert tracking beacon. Both campaigns demonstrated advanced, highly structured methods consistent with purpose-built surveillance platforms.
How the Attacks Work
Attackers gain access to the global signalling ecosystem through commercial arrangements with mobile operators, compromised telecom nodes, or control of telecom networks. Because SS7 and Diameter do not authenticate the true source of commands, malicious traffic can appear to originate from legitimate operator network nodes. Key techniques include:
- Spoofing operator identities: Attackers manipulate signalling identifiers (Global Titles, Origin-Host fields) to masquerade as trusted operators.
- Protocol pivoting: By exploiting combined attach procedures that allow devices to register on both 3G and 4G networks simultaneously, attackers seamlessly switch between SS7 and Diameter to evade firewalls.
- Routing manipulation: Attackers steer messages through specific intercarrier providers, often using third-party entry points not listed in the operator's IR.21 roaming documents. The investigation found repeated mismatches between expected interconnect providers and those observed in attack traffic, indicating use of alternate providers.
- Centralized command-and-control: Near-sequential transaction identifiers (TIDs) and identical parameters across multiple networks reveal a centralized C2 platform generating the queries.
Infrastructure and Attribution
The attacks leveraged identifiers and infrastructure associated with operators in 18 countries: UK, Israel, China,