DET0662: Detection of Impersonate SS7 Nodes
DET0662 is a MITRE ATT&CK detection strategy for behavior related to impersonating SS7 network nodes to obtain mobile subscriber information and support de...
Analyst context for executives and security teams
DET0662 is a MITRE ATT&CK detection strategy for behavior related to impersonating SS7 network nodes to obtain mobile subscriber information and support device location tracking. For business leaders, the significance is not an endpoint alert on a phone; it is a mobile-network signaling risk that can affect executive protection, high-risk user privacy, telecom assurance, and investigations involving mobile identity or location exposure.
Executive priority
Treat this as a resilience and assurance question for any organization that depends on mobile communications for executives, privileged users, field operations, or sensitive workflows. Leaders should ask whether mobile signaling threats are in scope for their risk model, who owns evidence collection with telecom providers or mobile-network partners, and how incident response would validate suspected subscriber tracking when ATT&CK provides no built-in detection detail for this strategy.
Technical view
The supplied ATT&CK object has no official detection text, no tactics, and no platforms on the detection strategy itself. Its only relationship is that it detects T1430.002, Impersonate SS7 Nodes, in the mobile ATT&CK domain, with related platforms Android and iOS. SOC and IR teams should therefore validate coverage around mobile signaling and subscriber-information query evidence rather than assuming normal endpoint telemetry will detect this behavior. Detection engineering should focus on whether SS7-related logs, network signaling monitoring, telecom partner records, or mobile security provider evidence can show anomalous node impersonation or suspicious subscriber information requests tied to MSISDNs.
Likely telemetry
- SS7 signaling logs or alerts from mobile network infrastructure or a telecom provider
- Subscriber information query records involving MSISDNs
- Mobile-network node identity, routing, and signaling metadata
- Telecom or mobile security partner investigation records
- Case-management evidence linking suspected mobile tracking to affected users, devices, or phone numbers
Detection direction
- Confirm whether the organization has any direct or partner-provided visibility into SS7 signaling activity; standard Android or iOS endpoint logging may not be sufficient for this behavior.
- Map the DET0662 relationship to T1430.002 and document what evidence would prove or disprove impersonated SS7 node activity in your environment or provider ecosystem.
- Tune analysis around anomalous subscriber information queries and unexpected signaling paths, while accounting for legitimate roaming, carrier operations, and lawful operational activity that may create false positives.
- For high-risk users, define an escalation path that includes telecom-provider coordination because the ATT&CK object does not provide a standalone detection procedure.
Mitigation priorities
- Establish ownership for mobile signaling risk across security, telecom/vendor management, executive protection, and incident response teams.
- For critical users or operations, require documented procedures for obtaining and preserving carrier or mobile-network evidence during suspected tracking incidents.
- Use the ATT&CK relationship to prioritize control validation around mobile identity and location privacy, especially where business processes depend on phone numbers or mobile availability.
- Because the official detection strategy is sparse, supplement ATT&CK mapping with local architecture review, provider assurance, and incident tabletop exercises rather than relying on endpoint controls alone.
Analyst notes and limits
This take is based on DET0662, a detection strategy in the mobile-attack domain, and its relationship to T1430.002, Impersonate SS7 Nodes. The related technique describes adversaries exploiting lack of authentication in signaling system network nodes to query subscriber information and track mobile device location by impersonating internal nodes.
The official object provides no description, no detection text, no tactics, and no platforms for the detection strategy itself. The only concrete behavioral context comes from the relationship to T1430.002 and the external MITRE reference. Local telecom architecture, provider visibility, and mobile-risk requirements are required to turn this into operational coverage.
Detection of Impersonate SS7 Nodes
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1430.002 | Impersonate SS7 Nodes Sub-technique | This object detects Impersonate SS7 Nodes. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9bb5563cf7b6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0662Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.