Surveillance Campaigns Exploit Long-Known Telecom Vulnerabilities Using Commercial Tools

What happened

In April 2026, cybersecurity researchers published the first-ever comprehensive mapping of attack traffic targeting mobile operator signalling infrastructure. This infrastructure, which governs the core communications protocols like SS7 and Diameter, has long been known to harbor critical vulnerabilities. However, what is new and alarming is the widespread use of commercial surveillance tools by threat actors to exploit these vulnerabilities systematically. These campaigns enable attackers to intercept calls, track locations, and access sensitive user data without detection.

The research, primarily reported by CyberScoop and corroborated by multiple cybersecurity entities, reveals that these surveillance operations are no longer limited to state actors or nation-state proxies but have expanded to a broader threat landscape involving commercial-grade tools sold or leased on underground markets.

Confirmed facts

• Researchers mapped attack traffic directed at mobile signalling networks, focusing on SS7 and Diameter protocol vulnerabilities.
• Commercial surveillance tools, previously thought to be niche or restricted, are now widely used to exploit telecom weaknesses.
• The exploitation allows interception of calls, SMS, location tracking, and potential account takeovers.
• The attacks leverage long-known telecom vulnerabilities that have not been fully patched or mitigated by many mobile operators globally.
• The campaigns are highly sophisticated, combining automated scanning with targeted exploitation.
• The research is based on real-world traffic analysis from multiple mobile operators and threat intelligence sources.

Who is affected

• Mobile network operators (MNOs): Operators running legacy signalling infrastructure are at direct risk, as their networks are the primary attack surface.
• Mobile subscribers worldwide: Users of affected networks face risks of call interception, SMS spying, location tracking, and identity theft.
• Enterprises and governments: Organizations relying on mobile communications for sensitive data exchange may experience espionage or data breaches.
• Financial services: Mobile banking and two-factor authentication via SMS are vulnerable to interception, increasing fraud risk.

What to do now

• Mobile operators: Conduct immediate security audits of signalling infrastructure, prioritize patching and segmentation of SS7/Diameter networks.
• Regulators and industry bodies: Enforce stricter security standards and transparency reporting on signalling vulnerabilities.
• Users: Avoid relying solely on SMS-based two-factor authentication; switch to app-based or hardware token MFA.
• Security teams: Monitor for unusual signalling traffic patterns indicative of exploitation attempts.
• Enterprises: Educate employees on risks of mobile interception and encourage use of encrypted communication apps.

How to secure yourself

• Use multi-factor authentication methods that do not rely on SMS or voice calls, such as authenticator apps (e.g., Google Authenticator, Authy) or hardware tokens (e.g., YubiKey).
• Avoid sharing sensitive information over unencrypted calls or SMS.
• Regularly update mobile devices and apps to patch known vulnerabilities.
• Employ VPNs and encrypted messaging platforms (e.g., Signal, WhatsApp) for sensitive communications.
• Be vigilant for signs of SIM swapping or unexpected loss of mobile service, which can indicate account compromise.

2026 update

In 2026, the telecom industry has seen increased awareness of signalling vulnerabilities, but patch adoption remains inconsistent globally. The proliferation of commercial surveillance tools has lowered the barrier for attackers, expanding the threat beyond traditional espionage actors. Some mobile operators have begun deploying advanced signalling firewalls and anomaly detection systems, but many networks still operate with outdated infrastructure.

Regulatory bodies in Europe and North America have introduced stricter compliance requirements for telecom security, including mandatory incident reporting and network segmentation standards. Despite these efforts, the pace of exploitation campaigns continues to rise, underscoring the urgency for comprehensive industry-wide remediation.

FAQ

What are telecom signalling vulnerabilities?

Telecom signalling vulnerabilities exist in protocols like SS7 and Diameter, which control how mobile networks route calls and messages. These weaknesses can be exploited to intercept communications or track users.

How do commercial surveillance tools exploit these vulnerabilities?

These tools automate attacks on signalling networks, allowing attackers to send malicious signalling messages that bypass authentication and access user data or network functions.

Am I personally at risk if I use a mobile phone?

If your mobile operator uses vulnerable signalling infrastructure, you could be at risk of call interception, SMS spying, or location tracking.

Can I protect my mobile account from these attacks?

Yes, by using non-SMS-based multi-factor authentication, encrypted communication apps, and monitoring for suspicious activity like SIM swaps.

Are all mobile operators vulnerable?

Many operators still rely on legacy signalling protocols vulnerable to exploitation, but some have implemented mitigations. It varies by region and operator.

What should mobile operators do to mitigate risks?

Operators should patch signalling vulnerabilities, deploy signalling firewalls, segment networks, and implement continuous monitoring for attack traffic.

Is this threat related to ransomware or malware?

While this threat primarily involves surveillance and interception, compromised signalling can facilitate account takeovers that may lead to fraud or malware deployment.

How has the threat landscape changed in 2026?

The availability of commercial surveillance tools has expanded the attacker base, making telecom signalling exploitation more widespread and accessible.

Should I stop using my mobile phone?

No, but you should take security precautions and be aware of the risks associated with signalling vulnerabilities.

Why this matters

Telecom signalling vulnerabilities represent a foundational security weakness in global mobile communications. The exploitation of these flaws by commercial surveillance tools dramatically increases the risk of mass surveillance, identity theft, and fraud. Given the ubiquity of mobile phones for personal and business communication, these attacks have far-reaching implications for privacy, national security, and financial safety.

The 2026 findings highlight the urgent need for coordinated action among operators, regulators, and users to close these gaps. Without such measures, the integrity of mobile communications and trust in digital identity verification mechanisms remain at significant risk.

Sources and corroboration

This article synthesizes information from CyberScoop's April 2026 investigative report on signalling infrastructure exploitation, corroborated by cybersecurity research groups analyzing real-world attack traffic and threat intelligence. The findings are supported by data from multiple mobile operators and independent security analysts specializing in telecom vulnerabilities.

• https://cyberscoop.com/surveillance-campaigns-use-commercial-surveillance-tools-to-exploit-long-known-telecom-vulnerabilities/