The Citizen Lab Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors
Pangram verdict · v3.3
We believe that this document is primarily human-written, with a small amount of AI content detected
AI likelihood · overall
HumanArticle text · 1,395 words · 4 segments analyzed
Key Findings Multi-Vector Surveillance: We identified actors using multiple techniques to track targets by combining 3G and 4G signalling network protocols with direct device exploitation via SMS. SIM Card Exploitation: One campaign sent a malicious SMS containing hidden SIM card commands to extract location information, attempting to turn the device into a covert tracking beacon. Sophisticated and Customized Tooling: Both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution. Global Network Infrastructure: The attacks leveraged identifiers and infrastructure associated with operators worldwide, including networks based in the UK, Israel, China, Thailand, Sweden, Italy, Liechtenstein, Cambodia, Mozambique, Uganda, Rwanda, Poland, Switzerland, Morocco, Namibia, Lesotho, and the self-governing Island of Jersey, demonstrating extensive global reach. Persistent Campaign Activity: Telemetry shared by mobile signalling security provider Cellusys reveals that operator identifiers were reused over multiple years, forming consistent clusters that enabled long-running surveillance operations. Weak Intercarrier Provider OPSEC: Weak screening of interconnect traffic allowed attackers to route surveillance messages through trusted operator pathways, enabling access to targeted networks. IntroductionIn recent years, several investigations have exposed vulnerabilities in the mobile telecommunications ecosystem and how government security agencies have exploited them to track targets abroad while roaming. These studies include several Citizen Lab reports, along with work from other researchers. Our work builds on those findings, prompting further research into the structural weaknesses that continue to enable and evolve targeted surveillance.In late 2024, the Citizen Lab launched an investigation into coordinated location-tracking activity following the identification of a series of unusual events in mobile signalling firewall logs and further intelligence provided by Cellusys. What initially appeared to be an isolated incident targeting a single mobile subscriber led to a broader investigation that uncovered campaigns by two distinct CSVs conducting long-term espionage operations by exploiting the global telecommunications ecosystem.The first campaign, observed in November 2024, involved a multi-stage effort to track a high-profile mobile subscriber using multiple 3G and 4G networks. Information provided by the targeted user’s network operator indicated that the mobile number belonged to a well-known company executive, further described as a “VVIP.” This context indicated that the user was a high-value surveillance target.In early 2025, we identified an additional coordinated-tracking event, with the use of a specially formatted SMS message.
While technically distinct, both campaigns demonstrated advanced, highly structured, and repeated methods consistent with purpose-built surveillance platforms.Our collaboration with mobile industry partners enabled a broad investigation using metadata from signalling logs, packet captures, routing data, and other telecommunications sources to trace the methods and origins of advanced surveillance activity. This analysis identified 4G infrastructure associated with operator networks based in Israel, the United Kingdom, and the Channel Islands. Notably, in prior public reporting these same countries have been linked to CSVs targeting mobile users.Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate. Despite repeated public reporting, this activity continues unabated and without consequence. The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.MethodsThis report is based on analysis in collaboration with multiple industry firms including the signalling firewall provider Cellusys, international signalling network provider Telenor Linx, telecom data intelligence provider Roaming Audit, and telecom network security firm P1 Security.We validated our research by correlating signalling data with additional independent data sources, enabling analysis of how messages were submitted, routed, and delivered across the global interconnect ecosystem. These sources included: Mobile network configurations from mobile operator GSMA (GSM Association) industry filings Telecom Domain Name System (DNS) records Border Gateway Protocol (BGP) routing data and Autonomous System Number (ASN) registrations Publicly available records from national telecommunication regulators We applied a multi-stage analytical process to attribute observed surveillance activity to distinct threat actors by identifying, clustering, and correlating suspicious indicators across campaigns.Analytical Approach1. Detection of Suspicious Signalling ActivityWe identified commands in international signalling traffic that match known surveillance techniques across 3G SS7 and 4G Diameter signalling protocols. While some of these commands have legitimate uses, their repeated and patterned use is commonly associated with surveillance activity.2. Surveillance Campaign Pattern IdentificationWe analyzed traffic for repeated commands within short time intervals from individual operator signalling addresses, then identified coordinated activity across multiple operators matching that behaviour within the same timeframe. These temporal and behavioural patterns were used to identify distinct surveillance campaigns.3.
Target ValidationCellusys validated that each campaign targeted specific subscriber phone identifiers (IMSIs), confirming consistent targeting patterns across multiple operator identifiers and correlating the timing and sequence of location tracking attempts.4. Actor Fingerprinting and ClusteringWe identified distinct surveillance actors through technical fingerprinting of signalling characteristics. We looked for sequential or patterned transaction identifiers, non-standard message formats, parameter configurations, reuse of operator identifiers, and consistent routing behaviour.5. Infrastructure Mapping and Routing AnalysisWe correlated operator identifiers with external data sources, including operator IR.21 filings, ASN and IP address allocations, BGP routing data, and DNS records to map how attack traffic entered and traversed the signalling interconnect ecosystem. 6. Historical CorrelationOur final step was to correlate observed attack indicators with historical telemetry to measure the duration of campaign activity and repeated use of the same operator infrastructure over multiple years.Limitations and AttributionIt is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement. In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.This analysis examines how signalling infrastructure was leveraged in the attack campaigns, rather than the intent of the identified operators or network providers. While we do not directly attribute the attacks in this report to a specific government or organization, several indicators point towards the likely involvement of a commercial surveillance platform supporting state-sponsored intelligence activities.
Background: Continued Broken Trust in Mobile CommunicationsTo understand how the attacks detailed in this report were possible, it is necessary to examine how mobile networks communicate with one another, and the operational landscape that enables them. The system connecting mobile operators around the world for international travel and mobile services uses protocols consisting of a blend of SS7, known for older 3G networks, and Diameter for 4G and most 5G networks. While SS7 has long been considered a legacy protocol, it still maintains a critical role for international roaming, SMS, and emergency services. Together, this blended signalling ecosystem of vulnerable protocols creates additional opportunities for surveillance actors.These vulnerabilities are not the result of software bugs or network misconfigurations; rather, they are inherent to global telecommunications design and business practices. The mobile ecosystem comprises over a thousand operators interconnected through roaming agreements and signalling protocols that prioritize efficiency, service availability, and revenue opportunity over security. As a result, a shadowy marketplace of state-backed and commercial espionage actors has emerged, developing and deploying software platforms that weaponize telecommunication networks for global surveillance.Insecure by DesignThe root of the security problem lies in the foundational signalling protocols themselves. Designed for a trusted community of mobile operators and legitimate third-party service providers, SS7 protocols lack the basic security mechanisms of IP networks, such as authentication and validation to verify the source of signalling messages, integrity checks to ensure that data has not been altered, and encryption to protect its contents.The Diameter protocol, currently used in 4G and most 5G international roaming implementations, was designed with stronger security controls than SS7, introducing security components to address inherent signalling vulnerabilities. These include support for Transport Layer Security (TLS) and IPsec encryption to protect signalling traffic, as well as authentication between operator networks.1 However, in practice, operators have largely failed to implement these protections and instead continue to rely on the same peer-to-peer trust model that plagues SS7. In addition, key operational security measures, such as verifying that security configurations align with roaming partner network information published in GSMA IR.21 documents, are often seldom enforced. As a result, security research has shown that 4G networks remain vulnerable to many of the same user-targeted surveillance techniques associated with 3G.What is IR.21?IR.21 is a document specification shared among mobile operators through the GSMA (GSM Association).