GoKawiilOur investigation uncovers two sophisticated telecom surveillance campaigns and, for the first time, links real-world attack traffic to mobile operator signalling infrastructure. The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.
Key Findings Multi-Vector Surveillance: We identified actors using multiple techniques to track targets by combining 3G and 4G signalling network protocols with direct device exploitation via SMS.
We identified actors using multiple techniques to track targets by combining 3G and 4G signalling network protocols with direct device exploitation via SMS. SIM Card Exploitation: One campaign sent a malicious SMS containing hidden SIM card commands to extract location information, attempting to turn the device into a covert tracking beacon.
One campaign sent a malicious SMS containing hidden SIM card commands to extract location information, attempting to turn the device into a covert tracking beacon. Sophisticated and Customized Tooling : Both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution.
: Both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution. Global Network Infrastructure: The attacks leveraged identifiers and infrastructure associated with operators worldwide, including networks based in the UK, Israel, China, Thailand, Sweden, Italy, Liechtenstein, Cambodia, Mozambique, Uganda, Rwanda, Poland, Switzerland, Morocco, Namibia, Lesotho, and the self-governing Island of Jersey, demonstrating extensive global reach.
The attacks leveraged identifiers and infrastructure associated with operators worldwide, including networks based in the UK, Israel, China, Thailand, Sweden, Italy, Liechtenstein, Cambodia, Mozambique, Uganda, Rwanda, Poland, Switzerland, Morocco, Namibia, Lesotho, and the self-governing Island of Jersey, demonstrating extensive global reach. Persistent Campaign Activity: Telemetry shared by mobile signalling security provider Cellusys reveals that operator identifiers were reused over multiple years, forming consistent clusters that enabled long-running surveillance operations.
Telemetry shared by mobile signalling security provider Cellusys reveals that operator identifiers were reused over multiple years, forming consistent clusters that enabled long-running surveillance operations. Weak Intercarrier Provider OPSEC: Weak screening of interconnect traffic allowed attackers to route surveillance messages through trusted operator pathways, enabling access to targeted networks.
Introduction
In recent years, several investigations have exposed vulnerabilities in the mobile telecommunications ecosystem and how government security agencies have exploited them to track targets abroad while roaming. These studies include several Citizen Lab reports, along with work from other researchers. Our work builds on those findings, prompting further research into the structural weaknesses that continue to enable and evolve targeted surveillance.
In late 2024, the Citizen Lab launched an investigation into coordinated location-tracking activity following the identification of a series of unusual events in mobile signalling firewall logs and further intelligence provided by Cellusys. What initially appeared to be an isolated incident targeting a single mobile subscriber led to a broader investigation that uncovered campaigns by two distinct CSVs conducting long-term espionage operations by exploiting the global telecommunications ecosystem.
... continue reading