Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.

Just the other day, the United States Federal Communications Commission (FCC) updated its list of products that can’t be sold in the US to include all consumer routers made in foreign countries. It’s a big — but potentially disruptive — move to limit supply-chain security risks to US networks. Now mind you, while I can […]

The Federal Communications Commission finalized new financial penalties for telecoms that submit false, inaccurate or late reporting to a federal robocalling system.

The new regulations, which go into effect Feb. 5, will require providers to recertify every year that their information is accurate in the Robocall Mitigation Database (RMD). It would also impose fines on offenders, including $10,000 for submitting false or inaccurate information and $1,000 for each entry not updated within 10 business days of receiving new information.

The commission also added two-factor authentication cybersecurity protections to access the database and directed its Wireline Competition Bureau to establish a new channel for reporting on deficient filings.

Those deficiencies “range from failures to provide accurate contact information to submission of robocall mitigation plans that do not in any way describe reasonable robocall mitigation practices,” the FCC wrote in a final rule posted this week in the Federal Register.

The FCC already requires voice service providers to verify and certify the identities of their callers through the RMD. The database is designed to help regulators and law enforcement track and prevent call spoofing, a frequent tactic of illegal robocallers, and hold providers accountable for the identities of callers and phone numbers that use their networks.

But America’s telecommunications networks are vast and decentralized, comprised of both massive companies like Verizon and AT&T and smaller telecoms and voice-over-internet-protocol (VoIP) providers. Calls often hop from one provider network to another, and verification can get lost or overlooked in the chain of custody.

Historically, federal regulators neither verified nor enforced the accuracy of those filings. Their effectiveness was called into question two years ago, when a political consultant used a voice-cloning tool to impersonate then-President Joe Biden in fake voicemails to New Hampshire voters, spoofing the number of a prominent state Democratic ally. The carrier that transmitted those calls, Lingo Telecom, had nonetheless verified the caller’s identity at their highest level of confidence.

The FCC asked for public feedback on whether to treat violations as minor paperwork errors, which typically carry smaller fines, or as evidence of more serious misrepresentation or lack of candor on the part of the provider. Telecom trade associations opposed fines for false or inaccurate filings unless filers were first granted an opportunity to correct the error or the FCC finds the information “willfully” inaccurate.  State attorneys general and robocall surveillance platform ZipDX urged the FCC to take a stricter approach  arguing that false filings “significantly undermines the Commission’s efforts to curb illegal robocalls.”

“The State AGs and ZipDX each express strong support for treating the filing of false or inaccurate information in the Robocall Mitigation Database akin to misrepresentation/lack of candor, arguing that such actions should elicit the statutory maximum penalty,” the commission wrote.

The FCC ultimately searched for a middle ground, concluding that a false filing in this case “warrants a significantly higher penalty than the existing $3,000 base forfeiture for failure to file required forms or information” but lower than the statutory maximum.

The post FCC finalizes new penalties for robocall violators appeared first on CyberScoop.

With a little more than a month left before a foundational cyber threat information sharing law expires for a second time, Congress might have to do another short-term extension as negotiations on a longer deal aren’t yet bearing fruit, a key lawmaker said Tuesday.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the problem with a long-term extension of the Cybersecurity Information Sharing Act of 2015, which provides legal protections to companies to share cyber threat data with the federal government and other companies, is that there are three different views about how to approach it.

The Trump administration and some in the Senate want a clean, 10-year reauthorization of the law, which Congress extended last month until Jan. 30 as part of the legislation that ended the government shutdown, after the information sharing law lapsed in October. But a reauthorization without any changes could run into House opposition, Garbarino said.

“I don’t know if I can get that passed in the House, with concerns from the Freedom Caucus,” he said at an event hosted by Auburn University’s McCrary Institute. The Freedom Caucus has had criticism of the Cybersecurity and Infrastructure Security Agency that is integral to implementing the 2015 law.

Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., also has a version of the bill that focuses largely on language he said is needed to defend free speech. And Garbarino’s version takes yet another approach to tweaking the law.

“Unfortunately, I don’t think we’re close enough with the discussions on the Senate to get it to figure out which bill will pass and what will get done,” Garbarino said. That leaves another extension tied to any funding bill that replaces the legislation currently funding the government, which also runs through Jan. 30.

Garbarino said his committee also is working on other issues, like deconflicting federal cybersecurity regulations, the cyber workforce and responding to the Chinese hacking group Salt Typhoon breaching telecommunications networks.

A report on “regulatory harmonization” has been underway at the committee, he said. But that doesn’t mean he wants to roll all the rules back. Asked about the Federal Communications Commission voting to get rid of Biden administration-era rules put into place in response to the Salt Typhoon breach, Garbarino said, “I’m not sure I would’ve voted to get rid of some of the protections or the rules, but it wasn’t my vote.”

The committee has been probing the government’s response to Salt Typhoon, and recently sent another set of questions in the past two or three months after not getting satisfactory answers the first time, Garbarino said.

“We are working closely with the China Select Committee as to what legislatively we could move if there’s something,” he said. “We’re not there yet.” 

Rep. Sheri Biggs, R-S.C., has picked up the baton on cyber workforce legislation sponsored by Garbarino’s predecessor as chairman, and Garbarino said he expects there to be some changes to the bill.

And two House Homeland subcommittees are holding a hearing Wednesday on artificial intelligence and cybersecurity.

“I’ll tell you right now, with our adversaries, the way they’re going to use AI, we can’t defend with human intervention alone,” Garbarino said. “AI is going to have to be part of our cyber defense.”

The post Key lawmaker says Congress likely to kick can down road on cyber information sharing law appeared first on CyberScoop.

The Securities and Exchange Commission on Thursday dropped its case against SolarWinds and its chief information security officer over its handling of an alleged Russian cyberespionage campaign uncovered in 2020, an incident that penetrated at least nine federal agencies and hundreds of companies.

The SEC’s decision brings to a halt one of the more divisive steps under the Biden administration to hold companies’ feet to the fire over their security failings, a groundbreaking suit that a judge last year dismissed in significant measure.

It comes the same day the Federal Communications Commission rescinded Biden-era cyber regulations the FCC wrote in response to another major cyberespionage campaign that saw alleged Chinese hackers infiltrate telecommunications carriers.

Two years ago the SEC took action against SolarWinds and its CISO, Tim Brown, over claims that it didn’t adequately disclose the Sunburst attack that began in 2019, as well as over other security assertions the company made.

The SEC litigation notice Thursday didn’t explain why it had dropped the case. An SEC spokesperson declined to comment beyond the notice.

A SolarWinds spokesperson said the company welcomed the SEC decision. The mere threat of SEC action two years ago had panicked some cyber executives who said it could create a chilling effect to disclose cyber information.

“We fought with conviction, arguing that the facts demonstrated our team acted appropriately — this outcome is a welcome vindication of that position,” the spokesperson said in a statement about how it was “delighted” on behalf of the company and Brown. “We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work. With the case now resolved, we look forward to focusing without distraction on delivering exceptional value to our customers through our market-leading software and solutions, emphasizing security and innovation at every step.”

The post SEC drops case against SolarWinds tied to monumental breach appeared first on CyberScoop.

The Federal Communications Commission is set to vote Thursday on whether to rescind a set of last-minute Biden administration regulations following a massive Chinese compromise of U.S. telecommunications infrastructure last year.

Chair Brendan Carr has called the rule ineffective and unlawful, and with the likely support of newly confirmed commissioner Olivia Trusty, there is a majority position to reverse the rules.

Now in an interview, the lone dissenting voice on the panel, Commissioner Anna Gomez, told CyberScoop that rescinding the rules would let telecoms off the hook for the cybersecurity lapses that enabled the breaches. 

She also noted it would eliminate one of the only substantive actions the FCC has taken in response to Salt Typhoon, a Chinese state-led cyberespionage campaign that broadly compromised the phones and data of high-level U.S. officials, including then-presidential candidate Donald Trump and vice presidential candidate JD Vance.

“What we know is that we had this major hack and the commission is probably the best positioned agency to ensure we don’t have something like this happen again,” Gomez said. “And we adopted the [rules] because we needed immediate action and we sought to create accountability, establish clear cybersecurity obligations and put in place an enforceable framework to harden the networks before the next breach.”

U.S. officials have given mixed signals as to whether Salt Typhoon remains an active and ongoing operation. Earlier this year an FBI official told CyberScoop that the bureau believes the group had been “contained,” but others have said that is unlikely given the documented technical expertise and persistence of the group and latent vulnerabilities in telecom infrastructure.

When asked if she viewed the incursions by Salt Typhoon as an active or ongoing campaign, Gomez said “this was not a one-off event.”

“These attempts are ongoing and so the need for a forceful response has not diminished,” she said.

In January, under then-chair Jessica Rosenworcel, the FCC passed a declaratory judgement stating that telecom providers have a legal obligation under the Communications Assistance for Law Enforcement Act to protect their communications and networks from being intercepted by unauthorized providers.

The agency also kicked off a proposed regulation that would have forced telecom providers to annually certify their cyber risk management plans with the FCC.

Carr indicated in an Oct. 30 fact sheet that the agency would vote to withdraw both the declaratory statement and proposed rule, providing a range of rationales.

The Biden-era rules were “rushed” out the door days before Biden and Rosenworcel left office. Carr believes there is nothing in CALEA that gives the FCC authority to regulate specific cybersecurity practices. He also called the rules “ineffective” and redundant in the face of engagement with telecoms over the past year to help harden their networks.

Gomez said it’s not clear how Carr could determine the rules were ineffective ten months after they were issued and that the commission is effectively saying it doesn’t need to wield its regulatory powers because it can rely on relationships with service providers to push for non-mandatory and industry-led cyber improvements.

“My question is ‘How many service providers have really implemented these measures?’” said Gomez. “We have one industry association coming in and saying that some providers have agreed to this. We don’t have numbers. I’m not entirely sure how many there are and we don’t know who the weakest link is going to be in a hack. I think that collaboration is very important, but it’s also important to have a regulatory backstop.”

When asked about the substance of the FCC’s engagement with the telecom industry over the past year, Gomez said it’s important to acknowledge that the agency can’t be an effective regulator without engaging in good faith with industry, but noted that she has not witnessed the kind of robust back and forth Carr described.

“As far as I know, the only evidence I had that there was any such engagement is from [Carr’s statement] saying that it happened,” she said.

Asked how much time the commission had dedicated to the Salt Typhoon incursions this year, Gomez suggested it hasn’t been a top priority.

“I would have trouble really being able to tell you that,” she said. “We haven’t seen a single proposal from [the Trump] administration. What the FCC did in January is so far the only meaningful regulatory response to Salt Typhoon that I have seen.”

In his justification, Carr has pointed to work the commission has done this year setting up a Council on National Security Council to coordinate with other federal agencies and efforts to prevent Chinese entities from owning telecom equipment testing labs in the US and investigating whether Chinese equipment providers are skirting federal restrictions to sell in the United States.

The commission has “adopted targeted rules to address the greatest cybersecurity risks to critical communications infrastructure without imposing inflexible and ambiguous requirements,” Carr wrote.

But nearly all available evidence over the past year indicates that Salt Typhoon hackers primarily exploited U.S. and Western technology and equipment to compromise U.S. telecom networks. In multiple interviews with U.S. officials, including intelligence and cybersecurity officials, none have claimed that Chinese equipment or foreign ownership of labs contributed to the breaches.

The post Why Anna Gomez believes the FCC is letting telecoms off easy after Salt Typhoon appeared first on CyberScoop.