Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.

The Trump administration is withdrawing the United States from a handful of international organizations that work to strengthen cybersecurity.

As part of a broader pullback from 66 international organizations, the administration is leaving the Global Forum on Cyber Expertise, the Online Freedom Coalition and the European Centre of Excellence for Countering Hybrid Threats.

Trump’s decision is in line with a president who has expressed hostility toward the existing international order, an approach critics fear creates a leadership power vacuum for U.S. adversaries to fill.

“The Trump Administration has found these institutions to be redundant in their scope, mismanaged, unnecessary, wasteful, poorly run, captured by the interests of actors advancing their own agendas contrary to our own, or a threat to our nation’s sovereignty, freedoms, and general prosperity,” Secretary of State Marco Rubio said in a statement Thursday. “President Trump is clear: It is no longer acceptable to be sending these institutions the blood, sweat, and treasure of the American people, with little to nothing to show for it. The days of billions of dollars in taxpayer money flowing to foreign interests at the expense of our people are over.”

Rubio criticized the international organizations over “DEI mandates,” “‘gender equity’ campaigns” and activities that “constrain American sovereignty.”

The Global Forum on Cyber Expertise works on issues such as critical infrastructure protection, cybercrime, cyber skills and policy and emerging technology. Its members include nations and government organizations like Interpol, but also tech companies like Hewlett Packard, Mastercard and Palo Alto Networks.

The forum says it supports gender inclusivity, asserting that “gender is a cross cutting issue with direct relevance to achieving international peace and security.”

A former president of the Global Forum on Cyber Expertise Foundation, Chris Painter, said he was “ surprised” by the withdrawal.

“It’s a non-political capacity-building platform that the U.S. helped establish and that has done good work in the Western Balkans and Asian Pacific, among other places, that I think advances U.S. interests,” said Painter, also the former top cyber diplomat at the State Department.

Ron Deibert, a professor of political science and the founder and director of the University of Toronto’s Citizen Lab, said the withdrawal from the forum and the cuts at the U.S. Cybersecurity and Infrastructure Security Agency would “further erode network security coordination at a time when the magnitude of cyber threats are rapidly increasing.”

Nina Jankowicz, a former Biden administration disinformation official who now head of the American Sunlight Project, a nonprofit dedicated to fighting disinformation, took note of the Trump administration — “which claims to care about free speech” — exiting the Freedom Online Coalition, which counts as its goals the support of “free expression, association, assembly, and privacy online.”

The coalition has campaigned against cybersecurity laws that suppress human rights and cyberattacks that imperil individual safety.

The European Centre of Excellence for Countering Hybrid Threats works to protect its members, which include members of the North Atlantic Treaty Organization, from an array of threats, among them those that manifest in cyberspace.

The Trump administration also withdrew from other organizations whose work more tangentially touches on cybersecurity, such as the International Law Commission.

Whatever flaws there are with some of the organizations Trump withdrew from, they are contributors to the “international rules-based order,” Deibert said 

“Without state participation, especially the powerful rich states, these forums will grind to a halt,” he said. “Even on a symbolic level, having a government like the U.S. ‘not there’ means very little can happen on a global level. This will likely lead to more regionalization and likely greater spaces for corruption and authoritarian practices to spread.”

The U.S. decision will “inevitably weaken the rights and security of Americans and people around the world for years to come,” said Alexandra Givens, president of the Center for Democracy and Technology.

“Americans should be concerned that their government is abandoning longstanding efforts to advance democracy, defend human rights online, and stop the abuses of spyware, particularly as free expression comes under attack from governments around the world — including our own,” Givens said. “U.S. participation in international collaboration on human rights standards helps keep Americans safe.”

The post Trump pulls US out of international cyber orgs appeared first on CyberScoop.