'Israeli' telecom track phones across 10+ countries

• Research identified over 15,700 tracking attempts routed through 'Israeli' telecommunication infrastructure.
• Phones were targeted in Thailand, South Africa, Norway, Bangladesh, Malaysia, and at least six other countries

A joint investigation between Citizen Lab and Haaretz pushed comments on how 'Israeli' telecommunication infrastructure was weaponized by commercial surveillance vendors tracking the location of individuals' phones across more than 10 countries. 

What was found 

The investigation identified over 15,7000 tracking attempts from late 2022 targeting phones across countries such as Thailand, South Africa, Malaysia, and Bangladesh. 

Two vendors posed as cell carriers and used 'Israeli' telecom company 019mobile, as well as Tango Networks (UK), and Airtel Jersey (Channel Islands) as entry points to silently track people worldwide through SS7 and Diameter protocol abuse. 

The two vendors were not named. Gary Miller, a researcher who contributed to the analysis, stated that the first vendor is most likely an "Israeli-based commercial geo-intelligence provider."

How it worked 

The first case was from a Middle Eastern businessman who had his phone tracked repeatedly for over 4 hours. This led to the discovery of a broader pattern.

Individuals across over 10 countries were tracked. In Indonesia, selected targets who had taken part in political activities or had spoken out against the government were tracked.

In Norway, telecom executives were tracked and in 'Israel' lawers and businessmen who had work interests in Africa and the Gulf countries were tracked.

SS7 is normally used to route calls and text messages, enabling international roaming and connecting to different mobile operators.

The investigations found that the Swiss telecom company, Fink, had enabled the 'Israeli' surveillance firm Rayzone to impersonate cellular carriers, allowing it to track phones by exploiting the SS7 signaling. 

Rayzone is known for selling location and tracking to governments.

4G and 5G networks were also exploited with a technique called SIMjacking, which allows invisible SMS commands to be sent, which forces the phone to broadcast its own location silently. Using this leaves no obvious trace, which makes detection way more difficult. 

The first campaign used the SS7 exploit with an address registered to 019mobile to send location tracking requests.

Another route passed through 'Israeli' company Exelera Telcom. who build international undersea fiber optic cables.

Three different companies were used as entry points 019mobile, Tango Networks UK, and Airtel Jersey, Channel Islands operator now known as Sure, was linked to prior surveillance investigations, according to the report. 

The second campaign exploited 4g and 5g networks using SIMjacking. This allowed the attackers to receive location tracking by sending a hidden SMS header that is processed straight to the SIM card, hiding it from the user.

Citizens Lab stated this method involved over 15,000 location tracking attempts since late 2022

Governmental deals 

The investigation also shows that 'Israeli' company Cognytes, parent company Verint, sold its product called Skylock, which is an SS7 tracking tool, to the government of the Democratic Republic of Congo.

The company has also had commercial ties with companies in Thailand, Malaysia, Indonesia, Vietnam, and Congo, which include multiple of the same countries where the tracking was identified.

Verint had previously sold smartphone surveillance programs to the governments of the UAE, South Sudan, and Mexico, according to information reported by Citizen Lab.

Lighthouse reports who had exposed Fink's telecom service in the 2023 investigation with Haaretz, Der Spiegel, Tamedia, Tamedia and Mediapart stated that Andreas Fink built service platforms for governments and companies worldwide, including 'Israels' Rayzone.

Fink demonstrated the system in Congo by pinpointing the location of a person who ran an anti-government Facebook account. Fink offered $1,000 per month to access the employees' phone network to track targets. 

Companies response 

Head of security of the 'Israeli' company 019mobile denied any involvement.

Partnership communications stated to Haaretz that it "has no connection to the current case and any attempt to link its name to it is mistaken."

Exelera Telecom, Fink, Cognyte, and Verint did not respond.  UK regulators banned the practice the same week as the report was published and called it the largest source of malicious traffic to mobile networks.

Citizens Lab stated that newer signalling systems introduced are still similarly being exploited.