Executive Summary
In 2025, surveillance-technology firm First Wap, based in Jakarta, was revealed to have quietly built and operated the 'Altamides' system, a covert platform leveraging SS7 telecom vulnerabilities for global phone tracking. Unlike conventional spyware, Altamides enabled real-time location tracking of mobile devices across regions—from the Vatican to Silicon Valley—without requiring user interaction, installation, or leaving traces on targeted phones. The technology exploited legacy telecom protocols to access cell tower information, bypassing most modern mobile security defenses. As a result, sensitive locations and communications were exposed to persistent surveillance risk, with broad geopolitical and privacy implications.
This incident underscores a worrying rise in the commercial proliferation of offensive surveillance tools exploiting underprotected telecom infrastructure. It highlights the urgent need for stronger regulatory action and zero trust defenses, as targeted espionage techniques move further away from traditional malware and towards systemic protocol abuse.
Why This Matters Now
The First Wap breach highlights how obsolete telecom protocols like SS7 remain vulnerable and are actively exploited by advanced surveillance operators. As more attackers and state-sponsored groups adopt protocol-level espionage, organizations and governments face unprecedented risks to privacy, national security, and trust, demanding immediate enhancements to network security and regulatory frameworks.
Attack Path Analysis
The attackers initiated their surveillance campaign by leveraging SS7 protocol access to query telecom routing information and silently locate targeted mobile devices. With access to sensitive signaling data, they could escalate privileges by gathering further details and potentially correlating identifiers across cloud or telecom boundaries. If necessary, the attackers could traverse cloud provider or hybrid infrastructure to expand observation scope (e.g., tracking associated services or internal communications). Malicious signaling queries maintained a covert command and control channel, undetected by traditional device-based security. Exfiltration of sensitive location and movement metadata occurred through unmonitored or insufficiently segmented channels. The impact materialized as persistent, covert tracking of high-value individuals, with minimal risk of detection or remediation.
Kill Chain Progression
Initial Compromise
Description
Attackers used access to SS7 network signaling channels to silently query location data for targeted phone numbers, exploiting inherent telecom trust and lack of encryption.
Related CVEs
CVE-2015-6498
CVSS 7.5Alcatel-Lucent Home Device Manager before 4.1.10, 4.2.x before 4.2.2 allows remote attackers to spoof and make calls as target devices.
Affected Products:
Alcatel-Lucent Home Device Manager – < 4.1.10, 4.2.x < 4.2.2
Exploit Status:
no public exploitReferences:
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
Stage Capabilities: Install Digital Certificate
Network Traffic Capture or Redirection
Location Tracking
Personal Information Discovery
Exploit SS7 Vulnerabilities
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Incident Response Procedures
Control ID: 12.10
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 6
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Network Segmentation and Monitoring
Control ID: Network: Segmentation and Monitoring
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical SS7 infrastructure vulnerability enables covert phone tracking surveillance without detection, directly compromising telecom carriers' core routing and signaling systems.
Law Enforcement
Altamides surveillance technology provides real-time location tracking capabilities while bypassing traditional detection methods, creating operational security and oversight challenges.
Government Administration
SS7-based surveillance tools threaten government communications security, requiring enhanced encrypted traffic protocols and east-west traffic monitoring for official devices.
Computer/Network Security
Undetectable phone tracking via SS7 exploitation demands advanced anomaly detection, threat intelligence integration, and zero trust segmentation countermeasures development.
Sources
- First Wap: A Surveillance Computer You’ve Never Heard Ofhttps://www.schneier.com/blog/archives/2025/10/first-wap-a-surveillance-computer-youve-never-heard-of.htmlVerified
- First Wap, a discreet cyber-surveillance firm tracking journalists, public figures and corporate executiveshttps://www.lemonde.fr/en/pixels/article/2025/10/14/first-wap-a-discreet-cyber-surveillance-firm-tracking-journalists-public-figures-and-corporate-executives_6746433_13.htmlVerified
- Lighthouse Reports expose surveillance industry shortcomingshttps://www.amnesty.org/en/latest/news/2025/10/surveillance/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework controls—including zero trust segmentation, encryption of network traffic, visibility into east-west movement, and strict egress enforcement—would have constrained or detected malicious signaling activity and disrupted attacker lateral movement and data exfiltration via SS7 or hybrid infrastructure.
Control: Encrypted Traffic (HPE)
Mitigation: Prevented unauthorized, unencrypted data queries traversing the network.
Control: Zero Trust Segmentation
Mitigation: Limited attacker ability to traverse or access privileged telecom/cloud zones.
Control: East-West Traffic Security
Mitigation: Detected and blocked unauthorized workload-to-workload or service-to-service movements.
Control: Threat Detection & Anomaly Response
Mitigation: Identified abnormal or malicious signaling patterns indicative of unauthorized surveillance.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized outbound data transfers and alerted on suspicious egress.
Provided unified visibility into cross-cloud or hybrid signaling flows to rapidly detect impacts.
Impact at a Glance
Affected Business Functions
- Communications
- Data Security
- User Privacy
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data, including location information, call logs, and SMS messages, due to exploitation of SS7 vulnerabilities by surveillance tools like Altamides.
Recommended Actions
Key Takeaways & Next Steps
- • Implement encrypted traffic controls (MACsec/IPsec/VPN) to prevent interception or misuse of sensitive signaling communications.
- • Enforce zero trust segmentation and limit signaling data access only to verified workloads and namespaces.
- • Apply strict east-west and egress policy enforcement to monitor, alert, and block unauthorized workload or service traffic.
- • Leverage advanced threat and anomaly detection to identify suspicious signaling flows even within trusted telecom or hybrid networks.
- • Maintain centralized, multicloud visibility for rapid detection of cross-domain, covert surveillance or exfiltration attempts.
