The Department of Homeland Security knows which countries SS7 attacks are primarily originating from. Others include countries in Europe, Africa, and the Middle East.

The Department of Homeland Security (DHS) believes that China, Russia, Iran, and Israel are the “primary” countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts, according to information released by Senator Ron Wyden.

The news provides more context around use of SS7, the exploited network and protocol, against phones in the country. In May, 404 Media reported that an officialinside DHS’s Cybersecurity Insurance and Security Agency (CISA) broke with his department’s official narrative and publicly warned about multiple SS7 attacks on U.S. persons in recent years. Now, the newly disclosed information provides more specifics on where at least some SS7 attacks are originating from.

The information is included in a letter the Department of Defense (DoD) wrote in response to queries from the office of Senator Wyden. The letter says that in September 2017 DHS personnel gave a presentation on SS7 security threats at an event open to U.S. government officials. The letter says that Wyden staff attended the event and saw the presentation. One slide identified the “primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers,” it continues.

“Those countries, according to the DHS presentation, are Russia, China, Israel and Iran,” it adds. The presentation also listed other countries where telecom assets are used to attack U.S. subscribers, including “a number of countries in Africa, Central/South America, and Europe, the Middle East.”

Cathal McDaid, VP Technology at Enea, which builds SS7 security products, told 404 Media in an online chat that “We have observed malicious signalling activity that we attributed to be ultimately from one or more of those countries mentioned on the list.”

Enea previously attributed malicious SS7 activity to Russia. Two other countries on the list, China and Iran, are adversaries to the U.S. But the fourth country, Israel, is an ally. Israel has conducted “aggressive” espionage campaigns against American targets for decades, according to a 2014 Newsweek report, citing U.S. intelligence and congressional sources. Israel is also a hotbed for surveillance firms, including those that engage in SS7 exploitation.

Karsten Nohl, founder and chief scientist of cybersecurity company Security Research Labs and who has extensively researched SS7, told 404 Media in an email that “We definitely observe geopolitical adversaries abusing SS7 weaknesses with impunity.”

In the newly released document, Senator Wyden’s office says the DoD confirmed it believes that all U.S. carriers are vulnerable to SS7 and Diameter surveillance, and that DoD has not reviewed third-party audits carried out by U.S. carriers of their own networks. “The DoD has asked the carriers for copies of the results of their third-party audits and were informed that they are considered attorney-client privileged information,” the DoD writes. Diameter is something of an efficiency upgrade to SS7, but it can still be attacked.

SS7 is used to route messages when a phone user roams outside of their area of normal coverage. But it is also leveraged by governments, surveillance contractors, and financially motivated criminals to target phones too. These malicious parties gain access to SS7 through legitimate telecommunications companies or even operating their own. They lease access to a Global Title, which is essentially an address to route messages with. With that access, attackers may be able to track a phone and person’s location, or intercept their communications armed with just their phone number. SS7 attacks are also used to deliver malware that can then infect the target’s mobile device itself.

It is different from other acts of espionage against U.S. telecommunications networks, like the recent hacks by suspected Chinese spies of Verizon and AT&T reported by the Wall Street Journal. Earlier this month, Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger told reporters that China hacked “at least eight” U.S. telecoms, freelance journalist Eric Geller reported.

SS7, meanwhile, does not require hacking in the traditional sense, instead relying on fundamental issues in the network and protocol that treats any connection request as legitimate, even if carried out by a malicious party. For that reason, SS7 is a much more available spying tool to governments around the world. In 2020, researchers from Citizen Lab at the Munk School of Global Affairs and Public Policy at the University of Toronto identified many likely clients of SS7 exploitation company Circles. Those included Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates (UAE), Vietnam, Zambia, and Zimbabwe. Circles previously merged with notorious government malware developer NSO Group. NSO Group closed the Circles Cyprus office in 2020.

That same year, the Guardian reported a whistleblower provided evidence that Saudi Arabia was using SS7 to track its citizens as they traveled around the U.S.

The CISA official 404 Media reported on in May was Kevin Briggs. In a public filing with the Federal Communications Commission (FCC), Briggs laid out details of multiple SS7 attacks against the U.S., and said that he thinks the examples “are just the tip of the proverbial iceberg of SS7 and Diameter based location and monitoring exploits that have been used successfully against targeted people in the USA.”

“I believe there have been numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA using SS7 and/or Diameter exploits,” Briggs writes. “Much more could be said, but this ends my public comments,” he concluded.

When asked if the DoD is aware of any incidents in 2022 or 2023 in which DoD personnel, either in the U.S. or outside the country, were surveilled through SS7 or Diameter, the DoD said answering the question “requires a classified response.” The DoD provided the same answer when asked if it was aware of any SS7 or Diameter surveillance against personnel in Guam and Diego Garcia.

Some companies have emerged to try to plug those holes: The Navy contracted with a privacy and security focused phone network called Cape in Guam as part of a pilot program; the Navy previously told 404 Media the technology enhanced “both operational and information security.”

Pointing to how lingering of a security issue SS7 has been over the years, Nohl added “It’s amazing that we are still talking about SS7. Solving these issues takes a focused multi-months project at each telco to configure a signalling firewall. It’s not a trivial undertaking; and yet is dwarfed by the amount of time people talk about SS7 security rather than fixing the issues already.” He said that while some countries are sending hundreds of pings per target each day, and that many of those malicious requests will be blocked by SS7 firewalls, it’s “safe to assume that other state actors and criminals are leveraging SS7 for a similar information gain without creating this unnecessary noise.”

CISA did not respond to a request for comment. AT&T acknowledged a request for comment but ultimately did not provide a statement. Verizon and T-Mobile did not respond. Representatives for the Chinese, Russian, Iranian, and Israeli governments did not respond to requests for comment.