A major investigation has revealed that sophisticated threat actors are exploiting fundamental vulnerabilities in global mobile networks to track users worldwide.
By abusing legacy 3G SS7 and 4G Diameter signaling protocols, hackers are successfully bypassing telecom firewalls to conduct silent, cross-border espionage.
The extensive Citizen Lab research uncovered two distinct surveillance threat actors, identified as STA1 and STA2, operating long-running espionage campaigns.
These groups exploit the inherently trusted nature of telecom interconnect networks to launch their attacks.
By functioning as “Ghost Operators,” they manipulate routing data to mask their origins while pinpointing the exact locations of high-value targets.
Hackers Abuse SS7 and Diameter Protocols
These global attacks are made possible by structural weaknesses in international mobile communications.
While the older SS7 protocol completely lacks basic authentication, the newer 4G Diameter protocol suffers from weak security implementation across the industry.
Attackers heavily abuse “combined attach” procedures, allowing roaming devices to register with 3G and 4G networks simultaneously, enabling seamless protocol pivoting.
The Citizen Lab investigation highlighted two unique approaches to covert mobile surveillance. STA1 focuses entirely on aggressive network routing manipulation by spoofing legitimate operator hostnames and abusing third-party access points.
Meanwhile, STA2 takes a more invasive approach by combining network protocol queries with a silent exploit targeting the device itself.
STA1 Network Spoofer
STA1 primarily conducts its tracking attacks using signaling routing manipulation as its main vector. To execute these operations, this threat actor rapidly switches between legacy SS7 and newer Diameter protocols to find vulnerabilities in telecom firewalls.
Furthermore, STA1 evades detection by spoofing network data, allowing its malicious requests to blend in as legitimate operator traffic.
STA2 SIM Exploiter
In contrast, STA2 relies heavily on a zero-click binary SMS payload as its primary attack vector. This actor’s strategy combines SS7 network probing and malicious SIM Toolkit commands to extract location data directly from the target’s device.
To ensure the victim remains unaware, STA2’s evasion tactic exploits silent, low-priority push messages that do not trigger phone alerts.
The ongoing surveillance crisis highlighted by Citizen Lab reveals a major blind spot in the global telecommunications industry.
Mobile operators currently rely on third-party interconnect routing hubs with dangerously weak traffic screening.
Until the industry abandons legacy peer-to-peer trust models and enforces strict cryptographic authentication, mobile users worldwide will remain vulnerable to unseen tracking.
