Hackers Exploit SS7 & Diameter to Track Mobile Users

An extensive investigation has uncovered active exploitation of fundamental vulnerabilities in global mobile networks by sophisticated threat actors. These actors are leveraging these weaknesses to track users across the globe.

By abusing legacy 3G SS7 and 4G Diameter signaling protocols, hackers are successfully bypassing telecom firewalls to conduct silent, cross-border espionage.

The extensive Citizen Lab research uncovered two distinct surveillance threat actors, identified as STA1 and STA2, operating long-running espionage campaigns.

These groups exploit the inherently trusted nature of telecom interconnect networks to launch their attacks.

By functioning as “Ghost Operators,” they manipulate routing data to mask their origins while pinpointing the exact locations of high-value targets.

Hackers Abuse SS7 and Diameter Protocols

These global attacks are made possible by structural weaknesses in international mobile communications.

While the older SS7 protocol completely lacks basic authentication, the newer 4G Diameter protocol suffers from weak security implementation across the industry.

Attackers heavily abuse “combined attach” procedures, allowing roaming devices to register with 3G and 4G networks simultaneously, enabling seamless protocol pivoting.

The Citizen Lab investigation highlighted two unique approaches to covert mobile surveillance. STA1 focuses entirely on aggressive network routing manipulation by spoofing legitimate operator hostnames and abusing third-party access points.

Meanwhile, STA2 takes a more invasive approach by combining network protocol queries with a silent exploit targeting the device itself.

STA1 Network Spoofer

STA1 primarily conducts its tracking attacks using signaling routing manipulation as its main vector. To execute these operations, this threat actor rapidly switches between legacy SS7 and newer Diameter protocols to find vulnerabilities in telecom firewalls.

Furthermore, STA1 evades detection by spoofing network data, allowing its malicious requests to blend in as legitimate operator traffic.

STA2 SIM Exploiter

In contrast, STA2 relies heavily on a zero-click binary SMS payload as its primary attack vector. This actor’s strategy combines SS7 network probing and malicious SIM Toolkit commands to extract location data directly from the target’s device.

To ensure the victim remains unaware, STA2’s evasion tactic exploits silent, low-priority push messages that do not trigger phone alerts.

The ongoing surveillance crisis highlighted by Citizen Lab reveals a major blind spot in the global telecommunications industry.

Mobile operators currently rely on third-party interconnect routing hubs with dangerously weak traffic screening.

Until the industry abandons legacy peer-to-peer trust models and enforces strict cryptographic authentication, mobile users worldwide will remain vulnerable to unseen tracking.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.