SS7 and Diameter: Mobile Network Espionage Tradecraft

Citizen Lab and HPI's exchange on telecom-layer surveillance maps real SS7/Diameter attack patterns. Here's what it means for red teamers, defenders, and OSINT practitioners.

Citizen Lab published a conversation between researcher Swantje Lange and the Hasso Plattner Institut (HPI) on surveillance campaigns exploiting mobile network infrastructure. Read the primary source first: Researchers Uncover Espionage in Mobile Networks. What follows is an analysis of what the framing reveals and what it means operationally — not a summary.

What Is Actually Being Said

Citizen Lab is not a news outlet. It is a research group at the University of Toronto’s Munk School of Global Affairs with a documented track record of attributing targeted digital surveillance to nation-state actors and commercial spyware vendors. When they surface a conversation about “sophisticated surveillance campaigns being used to exploit mobile networks,” the word sophisticated is doing a lot of work.

HPI is a respected computer science faculty in Potsdam, Germany, with deep ties to telecommunications research. This is not a podcast interview for general audiences. It is a technical exchange between researchers who share a common vocabulary around SS7 (Signaling System 7), Diameter protocol weaknesses, IMSI catchers, and lawful intercept infrastructure that has been repurposed — or outright compromised — for unlawful surveillance.

“Espionage in mobile networks” refers to a threat category distinct from endpoint malware: the network layer itself being weaponized. Location tracking through signaling abuse. Call interception through routing manipulation. Silent SMS attacks that reveal a target’s presence without triggering any user-visible notification. These vulnerabilities have been documented in operational contexts for over a decade. The carrier infrastructure underlying billions of mobile connections remains structurally exposed. That is the uncomfortable fact Citizen Lab keeps surfacing from different angles, and the HPI framing is a deliberate move to bring the academic and policy conversation into alignment with what the civil society and journalism communities have been reporting for years.

Offensive Security Implications

Most red team engagements still treat the mobile network as out of scope or as a delivery channel. That gap is exactly what sophisticated threat actors — state-sponsored or commercial — are exploiting. If your threat model excludes SS7 or Diameter-based position disclosure, silent SMS probing, or IMSI catcher deployment near high-value targets, it is incomplete for any client facing nation-state or advanced criminal adversaries.

The GSMA has published security guidelines specifically addressing these issues in the FS.11 (SS7) and FS.19 (Diameter) documents, but carrier implementation is inconsistent. Positive Technologies’ recurring telecom vulnerability assessments have consistently shown that the majority of tested carrier networks remain exploitable through signaling attacks publicly documented since at least 2014. That body of work provides the technical grounding for understanding what Citizen Lab describes at the policy level.

The analytical shift for offensive professionals: assessing a high-value target’s communications security posture now requires asking not just “what endpoint protections are in place?” but “what assumptions is this person making about the confidentiality of their mobile traffic, and are those assumptions defensible given the signaling-layer exposure of the network they’re using?”

Defensive Security Implications

The Citizen Lab piece prompts three specific re-examinations.

Mobile device policy

Employees in sensitive roles conducting confidential communications over standard carrier voice and SMS — even with encrypted messaging apps layered on top — may be exposed at the signaling layer in ways application-layer encryption cannot address. An adversary who can manipulate routing at the SS7 or Diameter level does not need to break Signal’s encryption. They can potentially redirect traffic, confirm location, or perform traffic analysis before it reaches an encrypted application.

Threat intelligence feeds

Citizen Lab’s research output is primary-source intelligence. If you are not tracking their publications, you are missing context on commercial spyware vendors, nation-state tooling, and infrastructure active in current campaigns. The 2021 Pegasus Project reporting — which Citizen Lab anchored — demonstrated the operational scale at which mobile-targeting capabilities are deployed against journalists, lawyers, and executives. Amnesty International Security Lab’s forensic methodology for detecting Pegasus remains the most detailed public reference for mobile forensic detection of advanced spyware, and it directly complements the network-layer research Citizen Lab continues.

Incident response playbooks

If you receive a report that a high-value individual may have been targeted by a nation-state actor, do your playbooks account for a telecom network compromise vector rather than a phishing email or malicious attachment? Most do not. That gap is straightforward to document even if full technical remediation requires carrier engagement.

The OSINT Dimension

Mobile network infrastructure is itself an OSINT surface — one more accessible to well-resourced adversaries than most defenders model.

IMSI catchers enumerate devices present in a given area. Silent SMS (type-0 messages processed by the handset but not displayed) confirms that a device is active within carrier coverage without the user’s knowledge. Both techniques are detectable — Android IMSI-Catcher Detector and SnoopSnitch have documented these capabilities for years — but detection requires the target to be running such tools, and most high-value individuals are not.

This means adversaries running pre-operational surveillance may combine open-source data — social media check-ins, public calendar appearances, organizational affiliations — with signaling-layer probes to build a granular picture of a person’s movements and communications patterns. Neither data source alone produces that picture; the combination does, and it is largely invisible to the target.

The tradecraft question for OSINT practitioners advising clients or building protective intelligence programs: what signals is a target inadvertently broadcasting at the network layer, and how would an adversary with carrier access or SS7 probing capability use those signals to complement open-source research?

What to Do

Immediate:

• Add Citizen Lab and HPI publications to your threat intelligence reading rotation. The research is primary-source and methodologically documented.
• Audit your mobile device policy for employees in sensitive roles. Standard carrier voice should not be carrying confidential communications that belong on end-to-end encrypted VoIP.
• Brief your IR team on signaling-layer attack vectors at a conceptual level. They need to know SS7 and Diameter abuse are in-scope threat vectors before they encounter them in a live investigation.

Medium-term:

• Ask your mobile carrier directly what monitoring they have for SS7/Diameter anomalies. Large enterprise accounts can often negotiate enhanced security visibility. Most organizations have never asked.
• Name mobile network threats in red team scoping conversations. SS7 testing will almost always be out of scope given legal complexity, but the threat vector belongs in the documented threat model regardless.
• For clients facing advanced adversary profiles, evaluate private LTE/5G deployments or hardened SIM configurations for the most sensitive communications roles.

Ongoing:

• Track GSMA FS.11 and FS.19 publications as the baseline reference for what carriers are expected to implement.
• Monitor Citizen Lab’s research output. Their track record on identifying commercial surveillance vendors before mainstream security coverage is consistent and well-established.

When researchers with Citizen Lab’s track record choose an academic institution with HPI’s telecommunications depth as a platform, the framing is deliberate. It is an effort to move findings from the civil society and journalism context — where Citizen Lab’s work typically lands first — into the engineering and policy communities where structural fixes would have to originate. Security professionals sit directly at that intersection. The technical knowledge to understand what is being described, the operational context to assess implications, and the client relationships to translate findings into protective action are all available. The question is whether mobile network espionage gets treated with the same seriousness that adversaries already deploying it apply.