Security researchers have uncovered two separate spying campaigns that are abusing well-known weaknesses in the global telecoms infrastructure to track people’s locations. The researchers say these two campaigns are likely a small snapshot of what they believe to be widespread exploitation of surveillance vendors seeking access to global phone networks.

On Thursday, the Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report detailing the two newly identified campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as “ghost” companies that pretended to be legitimate cellular providers, and would piggyback their access to those networks to look up the location data of their targets.

The new findings reveal continued exploitation of known flaws in the technologies that underpin the global phone networks. 

One of them is the insecurity of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that for years has been the backbone of how cellular networks connect to each other and route subscribers’ calls and text messages around the world. Researchers and experts have long warned that governments and surveillance tech makers can exploit vulnerabilities in SS7 to geolocate individuals’ cell phones, as SS7 does not require authentication nor encryption, leaving the door open for rogue operators to abuse it. 

The newer protocol, Diameter, designed for newer 4G and 5G communications, is supposed to replace SS7 and includes the lacking security features of its predecessor. But as the Citizen Lab highlights in this report, there are still ways to exploit Diameter, as cell providers do not always implement the new protections. In some cases, attackers can still fall back to exploiting the older SS7 protocol.

The two spy campaigns have at least one thing in common: Both abused access to three specific telecom providers that repeatedly acted “as the surveillance entry and transit points within the telecommunications ecosystem.” This access gave the surveillance vendors and their government customers behind the campaigns the ability to “hide behind their infrastructure,” as the researchers explained. 

According to the report, the first one is Israeli operator 019Mobile, which researchers said was used in several surveillance attempts. British provider Tango Networks U.K. was also used for surveillance activity over several years, the researchers say.

The third cellphone provider, Airtel Jersey, an operator on the Channel Island of Jersey now owned by Sure, a company whose networks have been linked to prior surveillance campaigns.

Sure CEO Alistair Beak told TechCrunch that the company “does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals, or for intercepting communications content.” 

“Sure acknowledges that digital services can be misused, which is why we take a number of steps to mitigate this risk. Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling,” read Beak’s statement. “Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019Mobile and Tango Networks did not respond to a request for comment. 

According to the Citizen Lab, the first surveillance vendor facilitated spying campaigns spanning several years against different targets all over the world, and using the infrastructure of several different cellphone providers. This led researchers to conclude that different government customers of the surveillance vendor were behind the various campaigns.  

“The evidence shows a deliberate and well-funded operation with deep integration into the mobile signaling ecosystem,” the researchers wrote. 

Gary Miller, one of the researchers who investigated these attacks, told TechCrunch that some clues point to an “Israeli-based commercial geo-intelligence provider with specialized telecom capabilities,” but did not name the surveillance provider. Several Israeli companies are known to offer similar services, such as Circles (later acquired by spyware maker NSO Group), Cognyte, and Rayzone. 

According to the Citizen Lab, the first campaign relied on trying to abuse flaws in SS7, and then switching to exploiting Diameter if those attempts failed.  

The second spy campaign used different methods. In this case, the other surveillance vendor  behind it — Citizen Lab is not naming, either — relied on sending a special type of SMS message to one specific “high-profile” target, as the researchers explained. 

These are text-based messages designed to communicate directly with the target’s SIM card, without showing any trace of them to the user. Under normal circumstances, these messages are used by cellphone providers to send innocuous commands to their subscribers’ SIM cards used for keeping a device connected to their network. But the surveillance vendor instead sent commands that essentially turned the target’s phone into a location tracking device, according to the researchers. This type of attack was dubbed SIMjacker by mobile cybersecurity company Enea in 2019.

“I’ve observed thousands of these attacks through the years, so I would say it’s a fairly common exploit that’s difficult to detect,” said Miller. “However, these attacks appear to be geographically-targeted, indicating that actors employing SIMjacker-style attacks likely know the countries and networks most vulnerable to them.”

Miller made it clear that these two campaigns are just the tip of the iceberg. “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” he said.