Year in Review: Key Insights from the Global Signaling Threat Landscape

Attacks on mobile networks via signaling protocols continue unabated. Over the past year, we have observed attacks across SS7, Diameter, and GTP-C. We have observed increased activity on certain protocols and the emergence of new, sophisticated attack methods. Overall, this highlights that intelligence-driven signaling security remains highly relevant for protecting networks, revenue, and users. Understanding the threat landscape is essential for mobile network operators to ensure their signaling defenses respond well to evolving threats. 

To our clients, we provide threat intelligence with detailed, timely, and actionable insights, helping them proactively strengthen their defenses. This article is a selection and summary of trends our threat intelligence unit has observed during the year. 

Probing Attacks Surge on SS7

This year started with unusually high threat activity on SS7, which carried on until summer. Since September, we have again observed unusually high levels of activity. Foremost, we have witnessed an increase in probing attacks, particularly targeting SMS infrastructure, though not exclusively. Attackers are testing networks for weaknesses that allow them to retrieve IMSIs and other user data. Such reconnaissance attacks typically serve one of two purposes. Either they are a precursor to targeted SS7 attacks, such as interception and location tracking of individuals, or they are used to identify networks vulnerable to grey-route SMS delivery. 

One notable aspect of the probing attacks we observed early this year was the large number of spoofed Global Titles (GTs), suggesting a systematic approach. Interestingly, these attacks involved GTs from countries we typically do not see spoofed in probing attacks, such as Cuba and Myanmar. Based on our data, we estimate that at least 75% of all mobile networks worldwide were targeted during this period, though the actual figure could be higher. 

GT Spoofing on the Rise

Beyond probing attacks, we have observed a general increase in GT spoofing. This is a particularly concerning development where attackers use spoofed GTs to mask their true origin and evade identification. While this can still be detected and malicious signaling traffic from spoofed GTs can still be blocked on grounds other than its origin, this is nevertheless worrisome. If it is not mitigated, the industry’s recent efforts to tighten GT leasing requirements may be in vain. 

GT spoofing is also used to commit fraud against mobile network operators. Typically, rogue SMS aggregators send messages into a network but from a spoofed GT, to make it appear as though the traffic originated elsewhere. This allows the aggregator to avoid termination fees, which are instead billed to the network whose GT was spoofed. We have seen a significant increase in this type of behavior during the year, especially in the Americas and Europe. 

Attacks Continue to Evolve

During the year, we have seen SS7 attack methods continue to evolve. In July, for example, we published findings about a new bypass technique. This was not an isolated event. New methods and attacks continue to emerge, showing that threat actors are far from exhausting the possibilities for exploiting SS7, and that defenses need to adapt to the development.  

Diameter Attacks Remain Relatively Constant

While there is still less activity on Diameter than SS7, it remains fairly constant. Most observed Diameter attacks involve geolocation attempts or attempts to retrieve user data from the HSS. Interception cases remain rare, though we occasionally also observe such attempts. 

Spoofing the originating operator remains a common practice in Diameter, and we observe new variants emerginge every year. We have also witnessed cases in which the spoofed network appears to have been deliberately chosen to align with the subscriber network, in an attempt to avoid detection. 

Cross-protocol attacks, combining Diameter with SS7 activity, were detected again this year, though single-protocol attacks remain more common. 

Suspicious Activity on GTP-C

GTP-C remains the least exploited protocol, but early in the year, we observed a peak in IP scanning activity from unexpected sources. Although the yearly volume of events is still comparatively low, these incidents underscore that attackers are testing new channels and developing new attacks, and that no protocol is spared. 

Conclusion

SS7 remains the most widely exploited protocol set. One might think this is because Diameter and GTP-C are more secure, but sadly, it is more likely that many networks still lack sufficient SS7 security to prevent attackers from achieving their objectives. We know that many mobile network worldwide remain unprotected against signaling attacks. In addition, many existing implementations are not resilient against evolving threats, or the operator lacks the monitoring capabilities needed to detect attacks exploiting network misconfigurations. This may explain why we continue to see probing and attempts to bypass firewalls with relatively simple means, such as spoofing GTs. 

In a world of increasing conflicts and wars, signaling remains a source of information about critical infrastructure and individuals of interest, extracted through targeted attacks. Still, one can’t help but wonder whether at least some of the increased activity on SS7 is due to increasingly high International Termination Rates for A2P SMS. As prices soar on the operator side, aggregators need to find cheaper alternatives to maintain margins on existing exclusivity agreements and keep the business running. An increased interest in grey routes could explain at least some of the probing and SMS spoofing we have seen lately.  

The past year has shown that signaling security is dynamic and increasingly complex, requiring defenses to be adaptable to emerging threats. Most important, though, is to understand what to defend against, and to be able to detect when malicious activity occurs in the network. A threat actor’s best trick is to keep operators from realizing they are under attack. This is why investing in real-time threat intelligence is fundamental to safeguarding networks and subscribers against these evolving threats.