Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1754: Analytic 1754

Defender observes anomalous signaling interactions involving subscriber identity or location resolution events associated with a device, including abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies indicative of SS7 abuse. [1] The CSRIC also suggests threat information sharing between telecommunications industry members.

MobileAN1754AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to abuse of telecom signaling used to resolve a mobile subscriber’s identity or location. For leaders, the practical issue is not an endpoint alert on an iPhone; it is whether the organization can recognize and escalate suspicious carrier-network signaling that may affect mobile user privacy, executive protection, incident response decisions, or telecom-dependent operations.

Executive priority

Prioritize this as a governance and resilience question for organizations with high-risk mobile users, telecom exposure, or cyber-physical safety concerns. Executives should ask whether mobile-related investigations can incorporate carrier or telecommunications partner evidence, whether threat information sharing channels exist, and whether incident plans address subscriber identity or location-resolution abuse. Because ATT&CK provides no detection logic here, coverage should not be assumed from standard EDR, MDM, or SIEM controls alone.

Technical view

The supplied ATT&CK object describes observation of anomalous signaling interactions associated with subscriber identity or location resolution events on iOS-related mobile activity, including abnormal routing requests, unexpected location information exchanges, and signaling node inconsistencies indicative of SS7 abuse. SOC and IR teams should validate whether they have access to telecom signaling-derived evidence directly or through carriers, managed service providers, or trusted information-sharing channels. With no ATT&CK detection pseudocode and no relationship context, teams should treat this as a detection-strategy prompt rather than a ready analytic.

Likely telemetry

  • Telecommunications signaling logs or carrier-provided signaling event summaries
  • Subscriber identity resolution and location-resolution event records
  • Abnormal routing request indicators from telecom signaling infrastructure
  • Unexpected location information exchange records
  • Signaling node consistency or trust/peer anomaly data

Detection direction

  • Confirm whether the organization can obtain carrier-side evidence for subscriber identity or location-resolution anomalies; standard device telemetry may not show this behavior.
  • Define escalation paths for abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies involving protected users or business-critical mobile lines.
  • Tune triage around business context: executive devices, crisis operations, regulated communications, travel, or physical security cases may warrant higher priority.
  • Account for false positives from legitimate roaming, carrier maintenance, network interconnect changes, or incomplete partner context.
  • Use telecommunications threat information sharing, as referenced by CSRIC, to improve situational awareness when local visibility is limited.

Mitigation priorities

  • Establish incident response procedures for mobile signaling abuse scenarios, including who can request carrier assistance and what evidence is needed.
  • Identify high-risk mobile users and services where location privacy, identity protection, or continuity requirements justify enhanced monitoring or partner coordination.
  • Formalize telecommunications provider engagement and threat information-sharing channels before an incident occurs.
  • Document visibility limitations in compliance and risk evidence so leaders understand what is and is not covered by internal SOC tooling.
  • Where mobile security programs exist, integrate carrier-side findings with MDM, identity, travel-risk, and executive protection workflows without assuming endpoint detection will confirm SS7-related activity.
Analyst notes and limits

This is a mobile ATT&CK detection analytic for iOS with an official description but no supplied detection logic, no tactics, and no relationship context. The key decision value is validating access to telecom signaling evidence and escalation partnerships rather than writing a conventional endpoint-only rule.

The supplied ATT&CK fields do not provide a concrete detection algorithm, supported data components, related techniques, adversary use, or mitigations. Any assessment of exposure, exploitation, or detection coverage requires local carrier relationships, telecom telemetry availability, and organization-specific mobile risk context.

Official MITRE ATT&CK definition

Analytic 1754

Defender observes anomalous signaling interactions involving subscriber identity or location resolution events associated with a device, including abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies indicative of SS7 abuse. [1] The CSRIC also suggests threat information sharing between telecommunications industry members.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
9f1dfa85431e8359...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 9f1dfa85431e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CSRIC5-WG10-FinalReport

    Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.

    Open source URL
  2. [2]
    mitre-attack AN1754
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use