14_real_world_apt_mobile_ops
Part 14: Real-World Attacks — APT & Gang Mobile Infrastructure Operations
Learning Objective: Understand how Advanced Persistent Threat (APT) groups and organized criminal gangs use mobile network infrastructure as a weapon — for long-term surveillance, multi-stage intrusions, extortion pressure, and access-brokering operations — with detailed network diagrams showing each campaign's architecture and propagation.
Important
These five case studies represent the strategic layer of mobile network threats. Unlike the technical attacks in Parts 11–13 (which exploit specific protocols or systems), the attacks here treat mobile networks as operational infrastructure — platforms upon which broader intelligence, criminal, and cyber-warfare campaigns are built. The mobile network is not the final target; it is the means to a larger objective.
Table of Contents
- 16. State-Level Surveillance Campaigns Using Mobile Networks
- 17. APTs Using Mobile Numbers and SMS for High-Value Spear-Phishing
- 18. Ransomware Gangs Leveraging SMS for Extortion Pressure
- 19. Cybercrime-as-a-Service Operations Selling SMS-Based Access
- 20. Coordinated Telecom-Targeted Campaigns to Support Wider Crime
- APT/Gang Operations Summary
- Lab Exercises
Mobile Networks as Operational Infrastructure
The attacks in this section exploit a fundamental reality: mobile networks are deeply integrated into every layer of society. Governments use them for emergency alerts, businesses for authentication, individuals for private communication. This deep integration makes mobile infrastructure uniquely valuable as an attack platform.
graph TB
subgraph "Mobile Network as Attack Platform"
SS7_Layer[🔀 SS7/Diameter
Signaling Layer
Surveillance, location tracking]
SMS_Layer[📨 SMS Layer
Phishing, extortion,
MFA bypass]
Data_Layer[📊 Data Layer
CDRs, subscriber records,
intelligence collection]
Infra_Layer[🏗️ Infrastructure Layer
Carrier systems, portals,
customer tools]
end
subgraph "Threat Actors Using Mobile as Infrastructure"
APT[🔴 APT Groups
State-sponsored
intelligence ops]
Ransomware[🔴 Ransomware Gangs
Extortion pressure
campaigns]
CaaS[🔴 CaaS Operators
Access broker
services]
Organized_Crime[🔴 Organized Crime
Coordinated
telco targeting]
end
subgraph "Strategic Objectives"
Surveillance_Obj[🎯 Long-term Surveillance
Track targets for
months/years]
Intrusion_Obj[🎯 Enterprise Intrusion
Use SMS/phone as
initial access vector]
Extortion_Obj[🎯 Extortion Pressure
SMS as psychological
weapon during incidents]
Access_Obj[🎯 Access Brokering
Sell mobile interception
capabilities to others]
Cascade_Obj[🎯 Cascading Disruption
Compromise telco →
disrupt downstream orgs]
end
APT -->|"Uses"| SS7_Layer
APT -->|"Uses"| Data_Layer
APT --> Surveillance_Obj
APT --> Intrusion_Obj
Ransomware -->|"Uses"| SMS_Layer
Ransomware --> Extortion_Obj
CaaS -->|"Uses"| SS7_Layer
CaaS -->|"Uses"| SMS_Layer
CaaS --> Access_Obj
Organized_Crime -->|"Uses"| Infra_Layer
Organized_Crime --> Cascade_Obj
style APT fill:#ff6666,color:#fff
style Ransomware fill:#ff6666,color:#fff
style CaaS fill:#ff6666,color:#fff
style Organized_Crime fill:#ff6666,color:#fff16. State-Level Surveillance Campaigns Using Mobile Networks (I)
Executive Summary
Between 2016 and 2024, multiple state intelligence agencies and surveillance vendors operated persistent, multi-year campaigns using SS7 signaling to track dissidents, journalists, and political figures across borders. These campaigns combined location tracking (SRI/PSI), SMS interception, and call metadata collection into integrated surveillance platforms that treated the global mobile network as a sensor grid. The campaigns are significant because they demonstrate that SS7 abuse is not an isolated vulnerability but a strategic intelligence capability actively deployed by nation-states.
Real-World Incident
| Detail | Value |
|---|---|
| When | 2016–2024 (confirmed by Citizen Lab, EFF, and carrier investigations) |
| Who | State intelligence services; commercial surveillance companies (Circles/NSO Group, Rayzone, others) |
| Targets | Journalists (Jamal Khashoggi tracking alleged), activists, political opposition, diplomats, lawyers |
| Method | SS7 SRI/PSI for location; UpdateLocation for SMS redirect; CDR access for social graph analysis |
| Scale | Thousands of targets across dozens of countries; surveillance infrastructure deployed in 25+ nations |
| Discovery | Citizen Lab "Running in Circles" report; EFF FOIA and FCC advocacy; carrier anomaly detection |
Network Position — Where the Attack Starts
graph TB
subgraph "Surveillance Vendor Infrastructure"
Platform[🔴 Surveillance Platform
Circles / Rayzone / etc.
Web dashboard for analysts]
SS7_GW[🔴 SS7 Gateway
Connected via partner
operators in multiple countries]
Analytics[🔴 Analytics Engine
Location history,
social graph mapping,
pattern-of-life analysis]
DB[(🔴 Target Database
Watchlists, location
history, communication
patterns)]
end
subgraph "Global SS7 Network"
STP_A[🔀 STP (Country A)]
STP_B[🔀 STP (Country B)]
STP_C[🔀 STP (Country C)]
end
subgraph "Target's Network (Any Country)"
HLR[(🔐 Target HLR)]
MSC[🎛️ Serving MSC]
BTS[📡 Serving Cell]
Target[📱 Target Phone
Journalist / Activist]
end
Platform -->|"Analyst selects target
by phone number"| SS7_GW
SS7_GW -.->|"❌ SRI/PSI/ATI
via multiple countries"| STP_A
SS7_GW -.->|"❌"| STP_B
SS7_GW -.->|"❌"| STP_C
STP_A -.->|"Route query"| HLR
STP_B -.->|"Route query"| HLR
HLR -.->|"Location data"| STP_A
MSC -.->|"Cell-ID, LAC"| STP_A
STP_A -.->|"Response"| SS7_GW
SS7_GW -->|"Location + metadata"| Analytics
Analytics -->|"Store"| DB
DB -->|"Pattern-of-life
report"| Platform
Target -.->|"Connected to cell"| BTS
BTS <--> MSC
MSC <--> HLR
style Platform fill:#ff6666,color:#fff
style SS7_GW fill:#ff6666,color:#fff
style Analytics fill:#ff6666,color:#fff
style DB fill:#ff6666,color:#fff
style STP_A fill:#ffaa66
style STP_B fill:#ffaa66
style STP_C fill:#ffaa66
style HLR fill:#ffaa66
style Target fill:#ffee66Attack Sequence — Step by Step
sequenceDiagram
participant Analyst as 🔴 Intelligence Analyst
participant Platform as 🔴 Surveillance Platform
participant SS7 as 🔀 SS7 (Multi-country)
participant HLR as 🔐 Target's HLR
participant MSC as 🎛️ Serving MSC
participant Target as 📱 Target Phone
Note over Analyst: Day 1: Target Onboarding
Analyst->>Platform: Add target: +44-7XXX-XXXXXX
(UK journalist phone)
Note over Platform: Automated Initial Profile
Platform->>SS7: MAP SRI (MSISDN=+44-7XXX)
SS7->>HLR: Query
HLR->>SS7: IMSI=234-15-XXXXXXXXX
Serving MSC=UK-Vodafone
SS7->>Platform: Initial profile built
Note over Platform: Ongoing Surveillance (Automated)
loop Every 15 minutes for months
Platform->>SS7: MAP PSI (IMSI=target)
SS7->>MSC: Location query
MSC->>SS7: Cell-ID=51203, LAC=2100,
Age=3min
SS7->>Platform: Location update
Platform->>Platform: Map Cell-ID → coordinates
Store in location history
end
Note over Platform: Pattern-of-Life Analysis (After Weeks)
Platform->>Analyst: Report generated:
Home: 51.5074°N, 0.1278°W (7PM-7AM)
Office: 51.5155°N, 0.0922°W (9AM-6PM)
Meets source at café: Fri 2PM
Travel: Flew to Istanbul Oct 2
Social graph: Top 5 contacts mapped
Note over Analyst: Intelligence Exploitation
Analyst->>Analyst: Identify source meeting patterns
Plan interception or intervention
Note over Platform: SMS Interception (On-Demand)
Platform->>SS7: MAP UpdateLocation
(redirect target SMS)
SS7->>HLR: Temporarily register
at surveillance MSC
Note over Target: SMS intercepted
for specific time window
Platform->>SS7: Restore original location
(minimize detection)Technical Deep Dive
How surveillance platforms industrialize SS7:
Unlike the opportunistic SS7 attacks in Part 11, state-level surveillance platforms provide:
| Capability | Implementation |
|---|---|
| Multi-country SS7 access | Connections through operators in 25+ countries for redundancy and to avoid per-country blocking |
| Automated polling | Scheduled PSI queries every 5-15 minutes per target, building continuous location tracks |
| Pattern-of-life analysis | Algorithms that identify home/work locations, daily routines, travel patterns, and anomalies |
| Social graph mapping | Cross-reference CDRs (from insider access or separate capability) to map target's contacts |
| SMS interception windows | Temporary UpdateLocation hijack for specific time periods, then restore — minimizing detection |
| Web dashboard | User-friendly interface for analysts — no SS7 knowledge required to operate |
The Circles connection: Citizen Lab's "Running in Circles" report documented that Circles (affiliated with NSO Group) deployed SS7 surveillance systems in at least 25 countries. The system required only a target's phone number — no malware installation, no physical proximity, no target interaction.
Defense difficulty: Unlike spyware like Pegasus (which requires device compromise and leaves forensic traces), SS7 surveillance operates entirely at the network layer. The target's phone is never touched — there are no artifacts on the device, no unusual battery drain, no suspicious apps. The only detection point is at the carrier's SS7 firewall.
Detection Indicators
- Sustained high-frequency SRI/PSI queries for specific IMSIs from foreign Global Titles
- SS7 queries from multiple countries targeting the same subscriber (redundancy pattern)
- Regular polling patterns — query intervals consistent with automated surveillance (every 5/10/15 minutes)
- Temporary UpdateLocation followed by rapid restoration — SMS interception window pattern
- Cross-carrier correlation — same foreign GT querying subscribers on multiple domestic carriers
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Low | Uses legitimate (purchased) SS7 identities |
| Tampering | Low | Temporary HLR modification for SMS interception |
| Repudiation | Critical | No device artifacts; carrier logs rarely audited for this; multinational routing hinders attribution |
| Information Disclosure | Critical | Continuous location tracking, SMS interception, communication pattern mapping for years |
| Denial of Service | N/A | Designed to be invisible — no disruption |
| Elevation of Privilege | N/A | Intelligence collection, not access escalation |
Mitigation
- ✅ SS7 firewall with behavioral analytics — detect polling patterns, not just individual queries
- ✅ GSMA SISS (Signaling Intelligence and Security Service) — industry-wide threat intelligence
- ✅ Home Routing — proxy all SS7 responses to prevent direct MSC exposure
- ✅ Migrate to 5G SA — 5G SEPP replaces SS7 for inter-operator signaling (but migration takes years)
- ✅ End-to-end encrypted communications — Signal, WhatsApp (E2EE) defeat SMS interception
- ⚠️ VIP subscriber protection — enhanced monitoring for high-risk individuals (journalists, activists)
- ⚠️ Multi-SIM / eSIM rotation — changing IMSI makes persistent tracking harder (but inconvenient)
References
- EFF: SS7 is Vulnerable and Telecoms Must Acknowledge It (2024)
- Terrazone: SS7 Security Vulnerabilities, Attacks & Prevention
- Citizen Lab: "Running in Circles — Uncovering the Clients of Cyberespionage Firm Circles" (2020)
- 3GPP TS 29.002: MAP Protocol (SRI, PSI, ATI, UpdateLocation)
- GSMA FS.11: SS7 Interconnect Security Monitoring Guidelines
17. APTs Using Mobile Numbers and SMS for High-Value Spear-Phishing (S, I, E)
Executive Summary
Advanced Persistent Threat groups have incorporated breached mobile subscriber data — phone numbers, carrier information, and account details — as a secondary channel in multi-stage intrusions. Rather than relying solely on email phishing, these groups use SMS to send fake login alerts, MFA prompts, and urgent notifications that herd targets into entering credentials or approving fraudulent authentication requests. The mobile channel is particularly effective because SMS has a 98% open rate (vs. ~20% for email) and carrier data enables extremely convincing personalization.
Real-World Incident
| Detail | Value |
|---|---|
| When | 2020–2024; accelerated after major carrier breaches |
| Who | APT groups (attributed campaigns by multiple nation-states); sophisticated criminal groups |
| Targets | Enterprise executives, IT administrators, government officials, defense contractors |
| Method | Breached phone numbers used for SMS lures that complement or replace email phishing |
| Impact | Initial access to enterprise networks via MFA bypass or credential theft |
| Significance | SMS channel has dramatically higher success rate than email for targeted phishing |
Network Position — Where the Attack Starts
graph TB
subgraph "Reconnaissance (Data Sources)"
Carrier_Breach[📊 Carrier Breach Data
Phone numbers, names,
carriers, plans]
OSINT[🌐 OSINT
LinkedIn, conference talks,
corporate directories]
Prior_Breach[📊 Prior Breach Data
Email, passwords from
other compromises]
end
subgraph "Attack Infrastructure"
SMS_Platform[🔴 SMS Sending Platform
Bulk SMS via A2P
or SIM farm]
Phish_Server[🔴 Phishing Server
Fake SSO portal
(Okta, Azure AD clone)]
MFA_Proxy[🔴 MFA Proxy
Real-time relay of
MFA prompts]
C2[🔴 C2 Server
Receives credentials
and session tokens]
end
subgraph "Mobile Network (Delivery)"
SMSC[📨 SMSC]
BTS[📡 BTS/eNB]
end
subgraph "Target"
Target_Phone[📱 Target Phone
Enterprise admin]
Target_PC[🖥️ Target Workstation]
end
subgraph "Enterprise (Final Objective)"
SSO[☁️ Enterprise SSO
Okta / Azure AD]
Corp_Net[🏢 Corporate Network
Email, repos, data]
end
Carrier_Breach -->|"Phone numbers"| SMS_Platform
OSINT -->|"Target selection"| SMS_Platform
Prior_Breach -->|"Email + password"| C2
SMS_Platform -.->|"❌ SMS lure"| SMSC
SMSC --> BTS
BTS -->|"SMS delivered"| Target_Phone
Target_Phone -.->|"❌ Clicks link"| Phish_Server
Phish_Server -.->|"❌ Proxies to real SSO"| SSO
SSO -->|"MFA challenge"| Target_Phone
Target_Phone -.->|"❌ Approves MFA"| MFA_Proxy
MFA_Proxy -.->|"❌ Session token"| C2
C2 -.->|"❌ Authenticated access"| Corp_Net
style SMS_Platform fill:#ff6666,color:#fff
style Phish_Server fill:#ff6666,color:#fff
style MFA_Proxy fill:#ff6666,color:#fff
style C2 fill:#ff6666,color:#fff
style Target_Phone fill:#ffee66
style SSO fill:#ffee66
style Corp_Net fill:#ffee66Attack Sequence — Step by Step
sequenceDiagram
participant APT as 🔴 APT Group
participant SMS as 📨 SMS Channel
participant Target as 📱 Target (IT Admin)
participant Phish as 🔴 Phishing Portal
participant RealSSO as ☁️ Real Okta SSO
participant Corp as 🏢 Corporate Network
Note over APT: Phase 1: Target Selection
APT->>APT: Cross-reference carrier breach data
with LinkedIn to identify IT admins
at target organization
Note over APT: Phase 2: SMS Lure
APT->>SMS: Send SMS from "Okta":
"Security alert: Unusual login
detected from Moscow, Russia.
If this wasn't you, secure your
account: okta-secure[.]com/verify"
SMS->>Target: SMS delivered
(appears urgent — from "Okta")
Note over Target: Phase 3: Credential Harvesting
Target->>Phish: Clicks link → sees
perfect Okta login clone
Target->>Phish: Enters email + password
Note over APT: Phase 4: Real-Time MFA Relay
Phish->>RealSSO: Proxy login to real Okta
with victim's credentials
RealSSO->>Target: Push MFA notification:
"Approve login?"
Target->>RealSSO: Approves MFA
(believes it's the security check
from the SMS alert)
RealSSO->>Phish: Authenticated session token
Phish->>APT: Session token captured
Note over APT: Phase 5: Enterprise Compromise
APT->>Corp: Use session token to access:
- Email (exfiltrate data)
- Source code repos
- Admin consoles
- Pivot to internal networkTechnical Deep Dive
Why SMS spear-phishing is more effective than email:
| Factor | Email Phishing | SMS Phishing |
|---|---|---|
| Open rate | ~20% | ~98% |
| Response time | Hours | Minutes |
| Security controls | Email gateways, DMARC, link scanning | Minimal — no equivalent of email security stack |
| User trust | Declining (users trained to be suspicious) | Higher (SMS perceived as more legitimate) |
| Personalization | Name, email from OSINT | Name, carrier, phone details from breach data |
| MFA interaction | Separate channel (phone) | Same device — creates urgency loop |
The MFA fatigue / MFA prompt relay technique: When the SMS lure triggers the victim to visit the phishing portal and enter credentials, the APT's server simultaneously logs into the real SSO. The real SSO sends an MFA prompt to the victim's phone. The victim — already primed by the "security alert" SMS — approves the MFA prompt, believing they are securing their account. This is sometimes called "MFA relay" or "adversary-in-the-middle (AiTM)" phishing.
Post-compromise actions: Once the APT has an authenticated session token, they typically:
- Add their own MFA device — persistence even if victim changes password
- Create mailbox rules — forward copies of sensitive emails to attacker
- Access admin consoles — if target has admin privileges
- Exfiltrate data — email, documents, source code
- Pivot — use VPN or cloud resources to access internal network
Detection Indicators
- SMS from spoofed sender IDs matching corporate SSO providers (Okta, Azure AD, Duo)
- Login attempts from unexpected IP ranges immediately following SMS campaign delivery
- MFA approvals for logins that the user didn't initiate — user approves prompt triggered by attacker
- New MFA device registration shortly after successful authentication
- Session token use from different IP than authentication IP — token stolen and replayed
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Critical | APT impersonates corporate SSO via SMS; MFA relay spoofs legitimate auth |
| Tampering | N/A | No data modification |
| Repudiation | High | SMS attribution difficult; phishing infrastructure disposable |
| Information Disclosure | Critical | Enterprise credentials, session tokens, and ultimately corporate data exposed |
| Denial of Service | N/A | Not applicable |
| Elevation of Privilege | Critical | IT admin account compromise → enterprise-wide access |
Mitigation
- ✅ FIDO2/WebAuthn (phishing-resistant MFA) — hardware security keys cannot be relayed through proxy
- ✅ Number matching for push MFA — require user to enter a number shown on login screen (defeats blind approval)
- ✅ Conditional access policies — block logins from untrusted IPs/devices even with valid credentials
- ✅ Security awareness training specifically targeting SMS lures (not just email)
- ✅ EDR/SIEM correlation — alert when MFA approval coincides with login from unusual IP
- ⚠️ SMS sender ID filtering — carrier-level blocking of spoofed corporate brand names
- ⚠️ Out-of-band verification — require users to call IT helpdesk before acting on security alerts
References
- AccountableHQ: T-Mobile Data Breach — Real-World Scenarios
- Microsoft Threat Intelligence: AiTM Phishing Campaign Analysis (2022–2023)
- Mandiant: APT campaigns incorporating SMS as initial access vector
- NIST SP 800-63B: Digital Identity Guidelines (phishing-resistant authenticators)
18. Ransomware Gangs Leveraging SMS for Extortion Pressure (S, D)
Executive Summary
Ransomware crews including Conti, BlackCat/ALPHV, and others have adopted SMS as a direct pressure channel during active attacks. Using employee phone lists harvested from breached company data, HR systems, or leaked carrier databases, they send threatening messages directly to employees, partners, and even customers — escalating psychological pressure, complicating incident response, and sometimes bypassing traditional communication channels that the security team may have locked down.
Real-World Incident
| Detail | Value |
|---|---|
| When | 2021–2024; escalating tactic |
| Who | Conti, BlackCat/ALPHV, Royal, Scattered Spider, and other ransomware/extortion groups |
| Targets | Employees, board members, partners, and customers of ransomware victim organizations |
| Method | Bulk SMS to personal phones using harvested employee directories and phone lists |
| Impact | Psychological pressure, panic, distrust of IT response, premature ransom payment |
| Context | SMS used alongside data leak threats, dark web publication, and media notification |
Network Position — Where the Attack Starts
graph TB
subgraph "Ransomware Attack (Already In Progress)"
Encrypted_Infra[🔒 Encrypted Corporate
Infrastructure
(servers, endpoints)]
Exfil_Data[🔴 Exfiltrated Data
Employee directory,
HR records, phone lists]
end
subgraph "Extortion SMS Infrastructure"
SMS_Platform[🔴 Bulk SMS Sender
Burner SIMs / VoIP /
Compromised A2P]
Threat_Template[🔴 Threat Messages
"We have your company's
data. Your SSN is XXXX.
Tell your CEO to pay."]
end
subgraph "SMS Delivery"
SMSC[📨 SMSC]
BTS[📡 BTS/eNB]
end
subgraph "Targets of Pressure"
Employee[📱 Employee Phones
Personal numbers]
Executive[📱 Executive Phones
Board members]
Partner[📱 Partner/Vendor
Business contacts]
Customer[📱 Customer Phones
If customer DB accessed]
end
subgraph "Desired Outcome"
Panic[😰 Organizational Panic
Employees pressure
leadership to pay]
Payment[💰 Ransom Payment
$1M–$50M in crypto]
end
Exfil_Data -->|"Phone lists"| SMS_Platform
SMS_Platform -->|"Bulk SMS"| SMSC
SMSC --> BTS
BTS --> Employee
BTS --> Executive
BTS --> Partner
BTS --> Customer
Employee -.->|"Pressure on"| Panic
Executive -.->|"Pressure on"| Panic
Partner -.->|"Pressure on"| Panic
Panic -.->|"Drives"| Payment
style SMS_Platform fill:#ff6666,color:#fff
style Threat_Template fill:#ff6666,color:#fff
style Exfil_Data fill:#ff6666,color:#fff
style Encrypted_Infra fill:#ff6666,color:#fff
style Panic fill:#ffaa66
style Employee fill:#ffee66
style Executive fill:#ffee66Attack Sequence — Step by Step
sequenceDiagram
participant Gang as 🔴 Ransomware Gang
participant Infra as 🏢 Victim's Infrastructure
participant SMS as 📨 SMS Channel
participant Employee as 📱 Employee (Personal)
participant CISO as 🛡️ CISO / IR Team
participant CEO as 👔 CEO / Board
Note over Gang,Infra: Phase 1: Initial Compromise + Data Theft (Days/Weeks Prior)
Gang->>Infra: Compromise network, deploy ransomware
Gang->>Gang: Exfiltrate: Employee directory,
HR database (names, personal phones,
SSN/tax IDs, salaries)
Note over Gang: Phase 2: Ransomware Detonation
Gang->>Infra: Encrypt servers + endpoints
Gang->>CISO: Ransom note: "Pay $10M BTC
within 72 hours or data published"
Note over CISO: IR team activated; begins
containment and recovery
Note over Gang: Phase 3: SMS Pressure Campaign (12-24h after detonation)
Gang->>SMS: Send to 5,000 employee personal phones:
"This is [gang name]. Your employer
[company] refused to protect your data.
Your SSN [XXXX] and salary [$XXX,XXX]
will be published tomorrow. Tell your
CEO to pay."
SMS->>Employee: SMS arrives on personal phone
Employee->>CISO: "I got a text from hackers!
They have my SSN! What's going on?!"
Note over CISO: IR team overwhelmed with
employee panic calls + messages
instead of focusing on recovery
Note over Gang: Phase 4: Escalation
Gang->>SMS: Send to CEO personal phone:
"We know you're stalling. Pay now
or we contact your customers next."
SMS->>CEO: Direct pressure on leadership
Gang->>SMS: Send to partner/vendor contacts:
"Your business partner [company]
has been breached. Your shared data
may be compromised."
SMS->>Employee: Partner contacts victim company:
"Are you breached? Our data safe?"
Note over CEO: CEO pressures CISO:
"Can we just pay them?"Technical Deep Dive
Why SMS amplifies ransomware impact:
| Traditional Ransomware Pressure | SMS-Enhanced Pressure |
|---|---|
| Ransom note on encrypted systems | Direct message to every employee's personal phone |
| Dark web data leak site | Personalized threats with victim's own SSN/salary |
| Media notification | Partners and customers contacted directly |
| Affects IT team | Creates organization-wide panic that distracts IR team |
| Negotiation via Tor chat | Multi-channel pressure that's harder to manage |
The Scattered Spider example: This group (tracked as UNC3944, Octo Tempest) is notable for combining:
- SIM swapping (Attack #7) to bypass MFA during initial access
- SMS phishing to employees during intrusion for credential harvesting
- SMS threats to employees during extortion for pressure amplification
- Phone calls to IT helpdesk impersonating employees to get password resets
This represents the most complete integration of mobile channels into the attack lifecycle.
Data used for personalization (from exfiltrated HR systems):
| Field | Pressure Use |
|---|---|
| Full name | Personalize threat message |
| Personal phone | Deliver message outside corporate controls |
| SSN / Tax ID | Prove data possession; maximize fear |
| Salary | Embarrassment risk; show depth of access |
| Home address | Implicit physical threat |
| Emergency contact | Potential secondary targeting |
Detection Indicators
- Cluster of employee reports about threatening SMS messages with insider knowledge
- Unusual bulk SMS traffic from burner numbers to employee personal phones
- SMS content referencing specific breach details (SSNs, salaries, internal project names)
- Employee panic spike on internal communication channels (Slack, Teams) during active incident
- Media or partner inquiries triggered by SMS messages sent to external contacts
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Medium | Gang impersonates a credible threat actor (they are one, but may exaggerate capabilities) |
| Tampering | N/A | No network data modification |
| Repudiation | High | Burner SMS infrastructure; disposable numbers |
| Information Disclosure | N/A | Data already exfiltrated; SMS is the pressure channel |
| Denial of Service | High | Disrupts IR operations by creating organizational panic and diverting resources |
| Elevation of Privilege | N/A | Not applicable (already has data access) |
Mitigation
- ✅ Incident communication plan — pre-established channels for employee updates during incidents (not dependent on compromised infrastructure)
- ✅ Employee education — train employees to report threatening SMS to IR team, not engage or spread panic
- ✅ Data minimization — limit personal data (SSN, salary) stored in accessible HR systems; encrypt sensitive fields
- ✅ Network segmentation — HR/payroll systems isolated to prevent easy exfiltration during breach
- ✅ IR playbook for SMS extortion — specific response procedures for SMS pressure campaigns
- ⚠️ Personal phone number protection — employees use work-issued numbers; personal numbers not in HR system (hard to enforce)
- ⚠️ Carrier cooperation — request carriers to block bulk SMS from known extortion numbers (slow process)
References
- TechTarget: The Biggest Ransomware Attacks in History
- CrowdStrike: Scattered Spider / UNC3944 Threat Profile
- Mandiant: Multi-channel extortion tactics in modern ransomware
- CISA: #StopRansomware Advisory Series
19. Cybercrime-as-a-Service Operations Selling SMS-Based Access (S, I, E)
Executive Summary
A mature cybercrime-as-a-service (CaaS) ecosystem has emerged around SMS interception and OTP theft, where specialized operators control mobile interception infrastructure (SS7 gateways, SIM farms, malware fleets) and rent this capability to other criminal gangs, APT groups, and individual fraudsters. This represents the industrialization of mobile network exploitation, with clear role specialization: the infrastructure operators build and maintain the interception capability; their customers use it for account takeover, fraud, and espionage.
Real-World Incident
| Detail | Value |
|---|---|
| When | Ecosystem matured 2019–2024; ongoing |
| Who | Specialized CaaS operators; customers include fraud gangs, APTs, and individuals |
| Services | OTP interception, number rental, SMS forwarding, SIM swap-as-a-service |
| Infrastructure | 107,000+ malware samples, SIM farms in 50+ countries, SS7 gateway access |
| Pricing | $0.50–$50 per OTP depending on method and target |
| Economy | Estimated hundreds of millions USD annually |
Network Position — Where the Attack Starts
graph TB
subgraph "CaaS Infrastructure Layer"
SS7_Op[🔴 SS7 Operator
Leased signaling access
via partner telcos]
SIM_Op[🔴 SIM Farm Operator
Physical SIM banks
in 50+ countries]
Malware_Op[🔴 Malware Operator
107K+ infected Android
devices worldwide]
Insider_Op[🔴 Insider Broker
Recruited carrier
employees for SIM swaps]
end
subgraph "Service Aggregation Layer"
Aggregator[🔴 CaaS Aggregator
Combines all methods
into unified API/bot]
API[🔴 REST API
Programmatic access
for bulk operations]
Telegram_Bot[🔴 Telegram Bot
Self-service OTP
purchase and delivery]
Web_Panel[🔴 Web Dashboard
Account management,
order history, wallet]
end
subgraph "Customer Segments"
Fraud_Gang[👤 Fraud Gangs
Banking ATO,
carding]
APT_Customer[👤 APT Groups
Initial access,
MFA bypass]
Individual[👤 Individual
Criminals
Social media, email]
Reseller[👤 Resellers
White-label the
service for markup]
end
subgraph "Mobile Networks (Exploited)"
Network_A[📡 Carrier A]
Network_B[📡 Carrier B]
Network_C[📡 Carrier C]
end
SS7_Op -->|"SS7 interception
capability"| Aggregator
SIM_Op -->|"Number rental
capability"| Aggregator
Malware_Op -->|"Device SMS
theft capability"| Aggregator
Insider_Op -->|"SIM swap
capability"| Aggregator
Aggregator --> API
Aggregator --> Telegram_Bot
Aggregator --> Web_Panel
Fraud_Gang -->|"$$"| API
APT_Customer -->|"$$"| Telegram_Bot
Individual -->|"$$"| Web_Panel
Reseller -->|"$$"| API
SS7_Op -.->|"❌"| Network_A
SIM_Op -.->|"Legitimate
SIM activation"| Network_B
Malware_Op -.->|"❌ Infected
devices"| Network_C
style SS7_Op fill:#ff6666,color:#fff
style SIM_Op fill:#ff6666,color:#fff
style Malware_Op fill:#ff6666,color:#fff
style Insider_Op fill:#ff6666,color:#fff
style Aggregator fill:#ff6666,color:#fff
style API fill:#ff6666,color:#fff
style Telegram_Bot fill:#ff6666,color:#fff
style Web_Panel fill:#ff6666,color:#fffAttack Sequence — Step by Step
sequenceDiagram
participant Customer as 👤 Criminal Customer
participant CaaS as 🔴 CaaS Platform
participant Router as 🔴 Method Router
participant SS7 as 🔴 SS7 Gateway
participant SIM as 🔴 SIM Farm
participant Malware as 🔴 Malware Fleet
participant Network as 📡 Mobile Network
participant Service as 🏦 Target Service
Note over Customer: Scenario: Account Takeover
of specific victim's bank account
Customer->>CaaS: Request: Intercept OTP for
+1-555-0123 (US/T-Mobile)
Service: Chase Bank
CaaS->>Router: Route request to
best available method
alt Method 1: SS7 (Premium — $20)
Router->>SS7: MAP UpdateLocation +
SRI-SM for +1-555-0123
SS7->>Network: Redirect victim's SMS
Service->>Network: Send OTP SMS
Network->>SS7: SMS intercepted
SS7->>CaaS: OTP: 847291
else Method 2: Malware (Standard — $5)
Router->>Malware: Check if device
+1-555-0123 is infected
Malware->>Malware: Device found in fleet!
Service->>Network: Send OTP SMS
Network->>Malware: SMS delivered to device
Malware->>CaaS: OTP forwarded: 847291
else Method 3: SIM Farm (New Number Only — $1)
Router->>SIM: Allocate US number
SIM->>CaaS: Number: +1-555-9999
Note over Customer: Can only use for new
account creation (not ATO)
end
CaaS->>Customer: OTP: 847291
(delivered in <60 seconds)
Customer->>Service: Enter OTP → access grantedTechnical Deep Dive
The CaaS supply chain follows a clear hierarchy:
Tier 1: Infrastructure Operators (High Barrier to Entry)
├── SS7 gateway operators (need telco relationships)
├── SIM farm operators (need physical infrastructure in multiple countries)
├── Malware developers (need Android exploitation expertise)
└── Insider brokers (need carrier employee relationships)
Tier 2: Service Aggregators (Medium Barrier)
├── Platform operators who combine Tier 1 capabilities
├── API/bot developers who build customer interfaces
└── Payment processors (crypto wallets, mixing services)
Tier 3: Resellers (Low Barrier)
├── White-label the Tier 2 service under their own brand
├── Mark up prices 50-200%
└── Handle customer support for their buyers
Tier 4: End Customers (No Barrier)
├── Fraud gangs
├── APT groups
├── Individual criminals
└── "Script kiddies" — no technical skill needed
Economic scale: Based on pricing observed in the wild:
| Method | Price/OTP | Volume/Day | Est. Daily Revenue |
|---|---|---|---|
| SS7 interception | $20–$50 | ~100 | $2,000–$5,000 |
| Malware fleet | $2–$5 | ~5,000 | $10,000–$25,000 |
| SIM farm | $0.50–$2 | ~50,000 | $25,000–$100,000 |
| Combined | — | — | $37K–$130K/day |
Resilience: The service continues operating even when individual components are disrupted because:
- Multiple independent SS7 access points across different countries
- SIM farm hardware is cheap and easily replaced
- Malware fleet is self-replenishing through ongoing distribution
- Customer-facing infrastructure (bots, portals) is easily redeployed
Detection Indicators
- Service-side: OTP verification patterns inconsistent with legitimate user behavior (instant use, different device fingerprint)
- Carrier-side: Numbers exhibiting SIM farm behavior (receive-only, no outgoing calls, high OTP volume)
- SS7 firewall: Interception patterns matching commercial service schedules (business hours, regular intervals)
- Malware detection: Infected devices forwarding SMS to known C2 domains
- Law enforcement: Monitoring dark web forums and Telegram channels advertising SMS services
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Critical | Enables mass identity spoofing across 600+ services |
| Tampering | N/A | No data modification |
| Repudiation | Critical | Multi-layered anonymization: crypto payments, Telegram, rotating infrastructure |
| Information Disclosure | Critical | OTPs for banking, email, cloud services exposed on demand |
| Denial of Service | Low | Individual subscriber service rarely disrupted |
| Elevation of Privilege | Critical | Direct path to account takeover for any SMS-protected service |
Mitigation
- ✅ Eliminate SMS-based authentication — the only definitive solution; migrate to FIDO2/WebAuthn
- ✅ Phone intelligence scoring — use services to identify SIM farm and VoIP numbers at verification time
- ✅ Device attestation — require SafetyNet/Play Integrity alongside phone verification
- ✅ SS7/Diameter firewalls at carrier level — reduces SS7 interception supply
- ✅ Law enforcement operations — takedown campaigns against CaaS infrastructure
- ⚠️ Multi-signal fraud detection — combine phone number risk with device, IP, behavioral signals
- ⚠️ International cooperation — CaaS infrastructure spans multiple jurisdictions
References
- SecurityWeek: Massive OTP-Stealing Android Malware Campaign Discovered (2024)
- Zimperium zLabs: "SMS Stealer" Campaign and Ecosystem Analysis
- Europol: Cybercrime-as-a-Service Threat Assessment
- FBI IC3: Internet Crime Report (SMS-based fraud statistics)
20. Coordinated Telecom-Targeted Campaigns to Support Wider Crime (S, T, I, D, E)
Executive Summary
Criminal organizations have conducted coordinated campaigns targeting telecom infrastructure itself — compromising carrier customer portals, internal tools, and network management systems — not as an end in itself but as a force multiplier for broader criminal operations. When a carrier's systems are compromised, the downstream impact cascades: thousands of businesses lose MFA capability, account recovery is disrupted, and the attacker gains a persistent vantage point for SIM swaps, SMS interception, and subscriber surveillance at will. These are among the most impactful attacks because they turn the carrier from a security provider into an attack platform.
Real-World Incident
| Detail | Value |
|---|---|
| When | 2022–2024; multiple incidents |
| Who | Lapsus$, Scattered Spider (UNC3944), and other organized groups |
| Targets | T-Mobile, AT&T, Verizon (customer portals and employee tools) |
| Method | Social engineering of carrier employees → access to internal tools → mass SIM swaps and data exfiltration |
| Downstream Impact | Thousands of organizations lost MFA capability; business account lockouts; cascading security failures |
| Significance | Demonstrated that carrier compromise = compromise of all downstream organizations relying on that carrier |
Network Position — Where the Attack Starts
graph TB
subgraph "Carrier Infrastructure (Compromised)"
Employee_Portal[🖥️ Employee Portal
Agent CRM + tools]
Customer_Portal[🌐 Customer Portal
Self-service + API]
Provisioning[⚙️ Provisioning System
SIM management]
HLR[(🔐 HLR/HSS)]
BSS[💰 BSS/Billing]
SMSC[📨 SMSC]
end
subgraph "Attacker"
Attacker[🔴 Scattered Spider /
Lapsus$
Social engineer carrier
employees]
end
subgraph "Downstream Organizations (Impacted)"
Org_A[🏢 Organization A
5,000 employees on carrier
MFA via SMS]
Org_B[🏦 Bank B
Customer 2FA via
carrier SMS]
Org_C[☁️ SaaS Provider C
Account recovery via
carrier phone numbers]
end
subgraph "Cascading Impact"
MFA_Fail[❌ MFA Failures
Thousands of users
locked out or bypassed]
ATO_Wave[❌ Account Takeover Wave
Mass SIM swaps enable
widespread fraud]
Trust_Loss[❌ Trust Collapse
Organizations can't trust
phone-based verification]
end
Attacker -.->|"1. ❌ Social engineer
employee credentials"| Employee_Portal
Attacker -.->|"2. ❌ Access
provisioning"| Provisioning
Attacker -.->|"3. ❌ Mass SIM swaps
+ data access"| HLR
Provisioning -.->|"SIM changes
affect"| Org_A
SMSC -.->|"SMS routing
disrupted for"| Org_B
BSS -.->|"Account data
exposed for"| Org_C
Org_A --> MFA_Fail
Org_B --> ATO_Wave
Org_C --> Trust_Loss
style Attacker fill:#ff6666,color:#fff
style Employee_Portal fill:#ffaa66
style Provisioning fill:#ffaa66
style HLR fill:#ffaa66
style MFA_Fail fill:#ffee66
style ATO_Wave fill:#ffee66
style Trust_Loss fill:#ffee66Attack Sequence — Step by Step
sequenceDiagram
participant Attacker as 🔴 Scattered Spider
participant Helpdesk as 📞 Carrier Helpdesk
participant Employee as 👤 Carrier Employee
participant Tools as 🖥️ Internal Tools
participant Provisioning as ⚙️ Provisioning
participant HLR as 🔐 HLR/HSS
participant Downstream as 🏢 Downstream Orgs
Note over Attacker: Phase 1: Carrier Employee Compromise
Attacker->>Helpdesk: Call IT helpdesk impersonating
employee: "I'm locked out, lost
my MFA device, need reset"
Helpdesk->>Employee: Reset MFA for "employee"
Attacker->>Tools: Login with employee credentials
+ new MFA
Note over Attacker: Phase 2: Internal Reconnaissance
Attacker->>Tools: Browse internal tools:
- Customer search
- SIM management
- Account modification
- Subscriber data export
Note over Attacker: Phase 3: Targeted Exploitation
loop For each high-value target
Attacker->>Provisioning: SIM swap for target
(IT admin at crypto company)
Provisioning->>HLR: Update IMSI binding
Note over Attacker: Use swapped number to
bypass MFA at target's employer
end
Note over Attacker: Phase 4: Mass Impact Operations
Attacker->>Tools: Export customer database:
Names, SSNs, account details
for millions of subscribers
Attacker->>Provisioning: Bulk SIM swap operations
targeting enterprise accounts
Note over Downstream: Phase 5: Cascading Downstream Failure
Downstream->>Downstream: Thousands of employees
report MFA failures
Downstream->>Downstream: Account recovery SMS
not being delivered
Downstream->>Downstream: Security teams detect
unauthorized logins
with valid MFA
Downstream->>Downstream: Business operations
disrupted across
multiple organizationsTechnical Deep Dive
The Scattered Spider methodology: This group (also tracked as UNC3944, Octo Tempest, 0ktapus) specifically targets telecom and technology companies using a combination of:
- Social engineering of helpdesks: Impersonating employees via phone calls to get MFA resets
- SMS phishing of employees: Sending fake SSO login pages to carrier employees' personal phones
- SIM swapping carrier employees: Using initial access to SIM swap carrier employees themselves, gaining access to their own MFA-protected internal tools
- Persistence through internal tools: Once inside, using carrier provisioning tools for ongoing SIM swaps
Why carrier compromise is a force multiplier:
| Direct Impact (at Carrier) | Cascading Impact (Downstream) |
|---|---|
| Employee credentials stolen | Every subscriber's identity at risk |
| Customer data exfiltrated | Mass SIM-swap fraud possible |
| Internal tools compromised | MFA for all downstream orgs undermined |
| Provisioning access gained | Attacker can perform SIM swaps at will |
| SMSC access possible | SMS-based services disrupted for all customers |
The trust cascade: Organizations that rely on a carrier for employee phone service, SMS-based MFA, and account recovery face a catastrophic scenario when that carrier is compromised:
- Employee MFA can be bypassed (SIM swap the employee's number)
- Account recovery via SMS is compromised
- New employee onboarding (which often requires phone verification) is disrupted
- Customer-facing services that use SMS verification are exposed
- There is no quick remediation because switching carriers for thousands of employees takes weeks
Detection Indicators
- Carrier-side: Unusual patterns of SIM swaps from specific internal accounts; bulk data queries from employee tools
- Downstream: Cluster of MFA failures or unexpected MFA success from unusual locations for subscribers on the same carrier
- Cross-organization: Multiple companies reporting similar security incidents traceable to the same carrier
- Threat intelligence: Carrier employee credentials appearing on dark web markets or Telegram channels
- Social engineering attempts: Increased calls to carrier helpdesks with employee impersonation attempts
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Critical | Attacker impersonates carrier employees and subscribers |
| Tampering | Critical | Provisioning data modified; SIM bindings changed |
| Repudiation | High | Actions performed with legitimate employee credentials |
| Information Disclosure | Critical | Millions of subscriber records; enables downstream data theft |
| Denial of Service | High | MFA disruption affects thousands of downstream organizations |
| Elevation of Privilege | Critical | Carrier internal access → subscriber identity control → downstream enterprise access |
Mitigation
- ✅ Phishing-resistant MFA for carrier employees — FIDO2 security keys mandatory for all internal tool access
- ✅ Helpdesk social engineering training — strict verification procedures for MFA resets; callback verification
- ✅ Carrier internal tool access monitoring — SIEM/UEBA on provisioning and CRM systems; alert on anomalous patterns
- ✅ Zero-trust architecture for carrier internal systems — continuous verification, not just login-time auth
- ✅ Downstream organization resilience — don't rely solely on carrier SMS for MFA; implement backup authentication methods
- ✅ Carrier-to-customer breach notification — rapid notification when provisioning integrity may be compromised
- ⚠️ Multi-carrier strategy — enterprises split employee phone service across multiple carriers to reduce blast radius (complex to manage)
- ⚠️ Regulatory enforcement — FCC and equivalents requiring carriers to demonstrate provisioning security (evolving)
References
- TechTarget: The Biggest Ransomware Attacks in History
- CrowdStrike: Scattered Spider Threat Profile (UNC3944)
- Microsoft: Octo Tempest — Cross-Domain Threat Actor
- FCC: Enforcement Actions on Carrier Security Practices
- CISA: Advisory on Telecom Sector Targeting
APT/Gang Operations Summary
Attack Comparison Matrix
| # | Attack | Threat Actor | Mobile Network Role | Strategic Objective | Skill Level | Detectability |
|---|---|---|---|---|---|---|
| 16 | State Surveillance | Intelligence agency | Surveillance sensor grid | Long-term tracking | High (operator), Low (analyst) | Very Low |
| 17 | APT SMS Phishing | APT group | Initial access delivery channel | Enterprise compromise | Medium-High | Medium |
| 18 | Ransomware SMS | Ransomware gang | Psychological pressure channel | Ransom payment | Low | High |
| 19 | CaaS SMS Access | Access broker | Revenue-generating infrastructure | Enable other crime | Medium (operator), None (buyer) | Medium |
| 20 | Carrier Compromise | Organized crime | Force multiplier for mass impact | Multiple downstream attacks | High | Low-Medium |
Combined STRIDE Profile
| Attack | S | T | R | I | D | E | Overall Severity |
|---|---|---|---|---|---|---|---|
| 16. State Surveillance | ✅ | ✅ | Critical | ||||
| 17. APT SMS Phishing | ✅ | ✅ | ✅ | ✅ | Critical | ||
| 18. Ransomware SMS | ⚠️ | ✅ | ✅ | High | |||
| 19. CaaS SMS Access | ✅ | ✅ | ✅ | ✅ | Critical | ||
| 20. Carrier Compromise | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | Critical |
✅ = Primary impact, ⚠️ = Secondary/moderate impact
Standards Mapping
| Attack | 3GPP Reference | GSMA Reference | NIST Reference |
|---|---|---|---|
| 16 | TS 29.002 (MAP) | FS.11 | SP 800-187 |
| 17 | TS 23.040 (SMS) | A2P Guidelines | SP 800-63B, SP 800-154 |
| 18 | N/A (application layer) | — | CISA Ransomware Guide |
| 19 | TS 29.002, TS 23.040 | FS.11, A2P Framework | SP 800-63B |
| 20 | TS 32.240 (OAM) | Operator Security Baseline | SP 800-53 (AC, AU, IR) |
Lab Replicability
| Attack | Replicable in Docker Lab? | How |
|---|---|---|
| 16 | ⚠️ Partial | Simulate SS7 polling by running repeated Diameter S6a queries and analyzing location data patterns |
| 17 | ❌ No | Requires live SMS delivery and SSO infrastructure |
| 18 | ❌ No | Requires live SMS delivery; social/psychological aspects cannot be simulated |
| 19 | ❌ No | Requires multi-method interception infrastructure |
| 20 | ⚠️ Partial | Demonstrate provisioning access by modifying MongoDB subscriber records and observing impact on connected UEs |
🔬 Lab Exercises
Exercise 1: Simulate Persistent Location Polling (Attack #16 Analog)
# Simulate the surveillance polling pattern by repeatedly querying
# the HSS/UDM for subscriber information
# First, capture Diameter signaling during normal UE operation
docker exec -it open5gs_amf tcpdump -i any -w /tmp/surveillance.pcap tcp port 3868
# Register a UE with UERANSIM, let it run for 5 minutes
# The AMF will periodically update location info to the UDM
# In Wireshark, analyze the capture:
# Filter: diameter.cmd.code == 316 (Update-Location)
# Observe: How often does the UE's location get updated?
# Question: What location granularity could an attacker get
# from these updates? (Cell-ID → ~50m-2km)
Exercise 2: Demonstrate Carrier Compromise Impact (Attack #20 Analog)
# Show how a single change in the subscriber database
# cascades to downstream impact
# Step 1: Record working state
docker exec -it ueransim_ue nr-cli UERANSIM --exec "status"
# UE should show: Connected, IP assigned
# Step 2: Simulate carrier provisioning compromise
# (modify the subscriber's authentication key)
docker exec -it open5gs_mongo mongosh open5gs --eval '
db.subscribers.updateOne(
{imsi: "999700000000001"},
{$set: {"security.k": "00000000000000000000000000000000"}}
)'
# Step 3: Force re-authentication
# Restart the UE or wait for periodic re-auth
docker restart ueransim_ue
# Step 4: Observe failure
docker logs ueransim_ue | tail -20
# The UE will fail to authenticate because the K doesn't match
# This simulates how carrier compromise can break downstream authentication
Exercise 3: Understand the Cascading Trust Model
# Map the dependency chain in your Docker lab
# 1. What depends on the HSS/UDM?
# - MME/AMF (authentication)
# - SMF (session management)
# - All UE connectivity
# 2. What depends on UE connectivity?
# - User data access
# - SMS delivery
# - MFA codes for downstream services
# Query the subscriber database to see what a compromised
# provisioning system would expose:
docker exec -it open5gs_mongo mongosh open5gs --eval '
db.subscribers.find({}, {
imsi: 1,
"security.k": 1,
"security.opc": 1,
"security.amf": 1
}).pretty()'
# Question: With these values (K + OPc + AMF), what could
# an attacker do? (Answer: Clone SIM, impersonate subscriber,
# intercept all communications)
Warning
These exercises are for educational purposes only in your isolated Docker lab. Never test against real carrier systems or attempt social engineering of carrier employees.
3GPP and Industry References
| Document | Title | Relevance |
|---|---|---|
| 3GPP TS 29.002 | MAP Protocol | SS7 surveillance operations |
| 3GPP TS 29.272 | Diameter S6a | 4G location and auth queries |
| 3GPP TS 32.240 | Charging/OAM Architecture | Carrier internal system security |
| GSMA FS.11 | SS7 Interconnect Security | SS7 firewall and monitoring |
| GSMA | Operator Security Baseline | Carrier internal security standards |
| NIST SP 800-187 | Guide to LTE Security | LTE security framework |
| NIST SP 800-53 | Security and Privacy Controls | Carrier system access controls (AC, AU, IR families) |
| CISA | Telecom Sector Security Guide | Critical infrastructure protection |
| Citizen Lab | Running in Circles (2020) | Surveillance vendor infrastructure documentation |
Summary
- ✅ State-level surveillance platforms have industrialized SS7 exploitation into user-friendly dashboards, operating for years without detection
- ✅ APTs use SMS as a high-success-rate phishing channel that bypasses most enterprise email security controls
- ✅ Ransomware gangs weaponize SMS for psychological pressure, turning data breaches into direct employee harassment
- ✅ CaaS ecosystems have turned mobile interception into a commodity service available to anyone with cryptocurrency
- ✅ Carrier compromise is the ultimate force multiplier — a single breach cascades to thousands of downstream organizations
- ✅ Core defense principle: Treat mobile network services (SMS, phone numbers, carrier identity) as untrusted infrastructure for security-critical functions