A major investigation has exposed how sophisticated threat actors are silently tracking mobile users across the globe by exploiting deep structural weaknesses in the global telecommunications backbone. According to new research by Citizen Lab, attackers identified as STA1 and STA2 are abusing the legacy SS7 (Signaling System No. 7) and the newer 4G Diameter signaling protocols to bypass telecom firewalls and conduct cross-border espionage at scale — all without the victim ever knowing.
What Are SS7 and Diameter, and Why Are They Vulnerable?
SS7 is a protocol suite developed in the 1970s to enable telephone networks to exchange information needed for call routing, billing, and roaming. Despite its age, it remains a critical part of the global telephone network. Its fatal flaw: it was designed in an era before cybersecurity was a concern, and it completely lacks basic authentication mechanisms. Any entity with access to the SS7 network can send messages that appear to come from a legitimate operator.
Diameter is SS7’s successor, introduced with 4G LTE networks and intended to address some of SS7’s shortcomings. However, Citizen Lab’s investigation confirms that Diameter suffers from weak and inconsistent security implementation across the industry, leaving it similarly exploitable. Attackers can pivot between the two protocols — a technique known as “combined attach” abuse — to find whichever offers the weakest firewall defense at any given moment.
Two Distinct Threat Actors, Two Different Approaches
The Citizen Lab research identified two distinct surveillance actors operating these campaigns, dubbed STA1 and STA2, each with a different operational signature:
- STA1 – The Network Spoofer: This actor focuses exclusively on network routing manipulation. By spoofing legitimate operator hostnames and abusing third-party access points, STA1 sends malicious signaling requests that blend in with normal operator traffic. The group rapidly switches between SS7 and Diameter protocols to identify gaps in telecom firewalls, then exploits them to pinpoint a target’s location — all while appearing to be a legitimate roaming partner.
- STA2 – The SIM Exploiter: STA2 takes a more invasive approach, combining SS7 network probing with a zero-click binary SMS payload as its primary attack vector. The actor uses malicious SIM Toolkit (STK) commands to extract location data directly from the target’s handset. The payload is delivered via silent, low-priority push messages that generate no visible alert on the target’s screen, leaving victims entirely unaware their location is being harvested in real time.
How Attackers Operate as “Ghost Operators”
A defining feature of both actors is their use of “Ghost Operator” infrastructure. By functioning as unofficial network operators — routing their traffic through legitimate-looking interconnect hubs — they mask their true origin while manipulating the routing tables that mobile networks rely on to locate subscribers. This makes attribution extremely difficult and allows them to operate across international borders with relative impunity.
Modern mobile networks trust each other implicitly: when your phone roams in a foreign country, dozens of carrier partnerships mean your home network must accept location queries from operators it has never directly vetted. STA1 and STA2 exploit this inherited trust ruthlessly.
The Broader Industry Problem
Citizen Lab’s findings illuminate a systemic blind spot in global telecommunications. Mobile operators currently route international traffic through third-party interconnect hubs, and the screening applied to signaling messages at these hubs is dangerously inadequate. The industry’s heavy reliance on peer-to-peer trust models — where a message appearing to come from a recognized operator is treated as legitimate — gives well-resourced threat actors a near-permanent foothold in the global mobile network.
This is not a new problem, but the Citizen Lab investigation makes clear that the exploitation of these vulnerabilities has grown more systematic and technically sophisticated over time. High-value targets — journalists, activists, diplomats, executives — are particularly at risk, as these attacks leave virtually no trace on the target’s device.
What Needs to Change
The path forward requires the telecommunications industry to abandon its legacy peer-to-peer trust model in favor of strict cryptographic authentication for all signaling messages. Several concrete steps have been recommended by security researchers for years:
- Enforce SS7 firewalls that block inbound queries from unrecognized or spoofed sources.
- Implement rigorous monitoring of Diameter message flows for anomalous location queries.
- Require third-party interconnect hubs to apply the same filtering standards as direct carrier peering agreements.
- Transition legacy infrastructure to more secure protocols with proper authentication built in.
Until these changes are implemented industry-wide, mobile users — particularly high-profile individuals — remain vulnerable to silent, persistent surveillance by threat actors who have mastered the art of hiding within the trusted backbone of global communications.