The Silent Data Breach Undermining National Security

When Salt Typhoon, a threat actor linked to the Chinese government, attacked multiple US communication providers, it led to millions of users having their personal data breached and raised concerns about the cybersecurity of national critical infrastructure. Unfortunately, this was not the only recent data breach reported by large mobile network operators. Notable reports from 2025 include SK Telecom, Bouygues Telecom, and Orange Telecom.

In parallel with these large-scale data breaches, sensitive personal data is regularly exfiltrated through the signaling protocols used in mobile networks, e.g., SS7, Diameter, and GTP-C. Data breaches through these protocols pose significant threats to national security when weaponized. In the hands of state or non-state actors, it exposes government officials, military personnel, and citizens to surveillance, espionage, and manipulation.

Sensitive personal data is exfiltrated through signaling protocols

Signaling in mobile networks is responsible for tasks such as call setup, message delivery, subscriber authentication, and roaming services. These are essential tasks to allow users to stay connected. However, the critical role signaling plays exposes sensitive personal data to significant risks of being breached. The principle at play is that the attackers impersonate a remote network node and use legitimate signaling messages to trigger responses from the targeted network, thereby exfiltrating user data. Data exfiltration via signaling can provide threat actors with several kinds of information:

• Unique identifiers. Signaling attacks can disclose unique identifiers used in mobile networks, including the IMSI (which identifies the SIM card), MSISDN (telephone number), and IMEI (which identifies the physical device itself). This is often information gathering to collect data in preparation for further targeted attacks and sophisticated fraud.
• Location data. There are several methods to determine a user’s location through signaling protocols, including identifying the cell to which a device is currently connected or obtaining GPS coordinates directly from the device. The precision for these methods varies. Identifying a cell in an urban area can provide a location within a few hundred meters, while in less populated areas, it can stretch over several kilometers. GPS data can be as precise as a few meters. While publicly disclosed examples of location tracking are rare, some cases have been reported nonetheless. One example underscoring the seriousness of location data breaches was that of Mexican journalist Fredid Román, who was murdered after likely having been located through the signaling network.
• Intercepted communications. Signaling vulnerabilities can be exploited to reroute calls, messages, and data through routes controlled by attackers—allowing them to silently eavesdrop while still delivering the communication to its intended recipient. A striking example occurred in Germany, where hackers used SS7-based attacks to intercept one-time passwords and drain bank accounts, exposing how signaling flaws can be leveraged in large-scale fraud.

Signaling data breaches are national security concerns

The ability to covertly extract sensitive personal data through signaling protocols can pose significant national security challenges, both directly and indirectly.

State and military officials, politicians, journalists, and business leaders are prime targets for surveillance campaigns designed to gather intelligence or exert influence, thereby posing direct threats to national security. Signaling data harvested through attacks enables adversaries to map out communication networks, identify relationships, track locations, and monitor movements. This form of metadata intelligence can reveal sensitive government operations or political dissidence, and correlate individuals of interest with places, activities, and other individuals, to form valuable insights.

The value to an adversary of intercepting conversations is obvious, but using intercepted data for account hijacking also poses a prominent threat. Hijacked accounts can further be used to spread disinformation in attempts to destabilize or interfere by manipulating public opinion, undermining trust in institutions, or sowing division. This is especially dangerous if the accounts belong to officials or individuals with elevated positions in society. One of the few published reports about this revealed that ‘Team Jorge’, an Israeli group specializing in (dis-)information operations, claimed to have meddled in over 30 elections worldwide. One of their tools, as described in the report, was account hijacking, exploiting vulnerabilities in SS7.

Indirect threats are connected to public trust in mobile communication. If citizens distrust mobile networks due to fears of surveillance, data breaches, or fraud, they may avoid using them. This would have a massive effect on the economy and society, as mobile communication is an enabler for many other critical infrastructure services such as finance, healthcare, transportation, and energy.

How did we end up in this situation?

The vulnerabilities in the signaling protocols have been known for more than a decade, and indications that signaling attacks threatened national security have been available since at least 2014. So, how come signaling protocols are still exploited if the vulnerabilities have been known for years?

The fundamental security issue is inherent in the protocols used for signaling and will persist as long as these protocols are in use. They were designed to rely on mutual trust between the operators who connect through them, but this trust model is no longer valid. Practices such as Global Title leasing, through which third parties can purchase access to signaling networks, have opened for surveillance companies and other rogue actors to exploit signaling protocols. The practice was recently banned by UK regulator Ofcom.

That said, the industry has accomplished a great deal in recent years. Criticism against GT leasing has resulted in a code of conduct published by the GSMA, and a framework for sharing threat intelligence between operators was established last year. Industry initiatives such as these are vital to mitigate signaling threats because mobile operators connect globally through the signaling network, meaning no single operator can secure it alone.

As a national critical infrastructure, mobile networks must be resilient. They also need to be trusted by several other critical infrastructure sectors relying on them to keep data safe. Still, many operators lack even basic protection against signaling attacks. A survey conducted by Enea showed that only half of the responding operators had implemented a signaling firewall.

In the end, the responsibility to adopt a signaling security posture and deploy the tools and processes needed to secure the signaling network is the operators’. Deploying a signaling firewall is a bare minimum, but threat intelligence is necessary to detect evolving, sophisticated attacks that bypass static rules. Threat actors continue to test and find new ways to bypass firewalls, including those for old protocols like SS7. The only way to detect this is by investigating anomalies and tracking threat actors, which requires a deep level of expertise and analysis of signaling traffic from multiple networks and sources.