Executive Summary
In April 2026, researchers from the University of Toronto's Citizen Lab uncovered two surveillance campaigns exploiting vulnerabilities in mobile network signaling protocols, SS7 and Diameter. The attackers, utilizing commercial surveillance tools, impersonated legitimate mobile operators to manipulate signaling protocols, enabling them to track individuals' locations covertly. This marks the first documented instance linking real-world attack traffic directly to mobile operator signaling infrastructure. The campaigns affected networks across multiple countries, including Cambodia, China, Israel, Italy, and the United Kingdom, highlighting the global nature of the threat.
The continued exploitation of these long-known vulnerabilities underscores systemic issues within global telecommunications infrastructure. Despite previous reports and regulatory attention, such activities persist, raising concerns about accountability and oversight in the telecom industry. This incident serves as a critical reminder for national regulators, policymakers, and telecom operators to prioritize the security of signaling protocols to prevent unauthorized surveillance and protect user privacy.
Why This Matters Now
The exploitation of SS7 and Diameter vulnerabilities by commercial surveillance vendors highlights an urgent need for telecom operators to implement robust security measures. As these protocols are integral to global mobile communications, their continued exploitation poses significant risks to user privacy and national security. Immediate action is required to address these systemic vulnerabilities and prevent further unauthorized surveillance activities.
Attack Path Analysis
Attackers exploited vulnerabilities in SS7 and Diameter protocols to gain unauthorized access to telecom signaling networks. They escalated privileges by impersonating legitimate network elements, allowing them to manipulate signaling messages. This enabled lateral movement across interconnected telecom networks, facilitating widespread surveillance. The attackers established command and control by embedding malicious commands within legitimate signaling traffic. They exfiltrated sensitive subscriber information, including location data and communication metadata. The impact included unauthorized surveillance, privacy breaches, and potential financial fraud.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in SS7 and Diameter protocols to gain unauthorized access to telecom signaling networks.
MITRE ATT&CK® Techniques
Impersonate SS7 Nodes
Exploit SS7 to Track Device Location
Exploit SS7 to Redirect Phone Calls/SMS
Application Layer Protocol: Web Protocols
Application Layer Protocol: DNS
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Security Requirements
Control ID: Article 21
ISO/IEC 27001 – Network Controls
Control ID: A.13.1.1
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity
Control ID: Pillar 1
PCI DSS 4.0 – Install and Maintain Network Security Controls
Control ID: Requirement 1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Primary target of commercial surveillance exploiting SS7/Diameter protocol vulnerabilities in mobile network infrastructure, enabling covert traffic manipulation and surveillance operations.
Government Administration
Critical exposure through telecom surveillance campaigns affecting national security oversight, regulatory compliance, and requiring enhanced policy enforcement for telecommunications infrastructure protection.
Law Enforcement
Operational security compromised by commercial surveillance tools exploiting telecom vulnerabilities, potentially exposing sensitive investigations and requiring secure communication protocol upgrades.
Defense/Space
Strategic communications at risk from signaling protocol exploitation enabling unauthorized surveillance, requiring zero-trust segmentation and encrypted traffic controls for mission-critical operations.
Sources
- Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilitieshttps://cyberscoop.com/surveillance-campaigns-use-commercial-surveillance-tools-to-exploit-long-known-telecom-vulnerabilities/Verified
- EFF to FCC: SS7 is Vulnerable, and Telecoms Must Acknowledge Thathttps://www.eff.org/deeplinks/2024/07/eff-fcc-ss7-vulnerable-and-telecoms-must-acknowledgeVerified
- Newer Diameter Telephony Protocol Just As Vulnerable As SS7https://www.bleepingcomputer.com/news/security/newer-diameter-telephony-protocol-just-as-vulnerable-as-ss7/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attackers' ability to exploit signaling protocol vulnerabilities, thereby reducing their lateral movement and data exfiltration capabilities.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attackers' ability to exploit signaling protocol vulnerabilities would likely be constrained, limiting their initial unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attackers' ability to impersonate network elements would likely be constrained, reducing their capacity to escalate privileges.
Control: East-West Traffic Security
Mitigation: The attackers' lateral movement across networks would likely be constrained, reducing the scope of their surveillance activities.
Control: Multicloud Visibility & Control
Mitigation: The attackers' ability to establish command and control channels would likely be constrained, limiting their remote control over compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attackers' data exfiltration efforts would likely be constrained, reducing the volume of sensitive information leaked.
The overall impact of unauthorized surveillance and data breaches would likely be constrained, reducing the potential for privacy violations and financial fraud.
Impact at a Glance
Affected Business Functions
- Mobile Network Operations
- Subscriber Data Management
- Roaming Services
- Billing Systems
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of subscriber location data, call and SMS interception, and unauthorized access to subscriber information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement SS7 and Diameter firewalls to monitor and filter signaling traffic.
- • Enforce strict authentication and authorization controls for network elements.
- • Conduct regular security audits and penetration testing of signaling infrastructure.
- • Deploy anomaly detection systems to identify unusual signaling patterns.
- • Educate staff on the risks associated with signaling protocol vulnerabilities and establish incident response procedures.
