T1430.002: Impersonate SS7 Nodes
Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.[1][2][3][4][5]
By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.[1]
Analyst context for executives and security teams
This technique matters because the target is not necessarily the phone itself, but the mobile signaling ecosystem around it. By impersonating SS7 network nodes and querying subscriber information tied to a victim phone number, an adversary may determine a device’s approximate cell area or nearest tower. For executives and security leaders, the business issue is location privacy, executive protection, workforce safety, and reliance on carrier-side controls that may sit outside normal enterprise endpoint or mobile device management visibility.
Executive priority
Treat this as a third-party and telecom-resilience risk, not just a mobile endpoint issue. Organizations with high-risk personnel, regulated privacy obligations, or cyber-physical exposure should ask carriers and mobile service providers what SS7 interconnection filtering and inappropriate-request blocking are in place, what evidence can be provided, and how suspected location-tracking incidents would be escalated. Budget and control decisions should prioritize provider assurance, incident response playbooks for mobile-location exposure, and evidence suitable for audit or executive protection reviews.
Technical view
ATT&CK lists Android and iOS as affected platforms, but the described behavior occurs through SS7 signaling and impersonated network nodes rather than an app or device-local API. SOC, IR, and detection engineering teams should validate whether they have any visibility into carrier signaling events, interconnection filtering alerts, roaming/location-query records, or provider reports. Official ATT&CK detection text is not provided; however, a related detection strategy, DET0662, is associated with this object, and mitigation M1014 points to interconnection filtering between network operators to block inappropriate requests.
Likely telemetry
- SS7 signaling logs or summaries from mobile network/operator environments
- Interconnection filtering allow/block events between network operators
- Subscriber information query records associated with MSISDN/phone number lookups
- Roaming, location update, or cell-area query records where available from the carrier
- Provider incident reports or assurance evidence related to inappropriate SS7 requests
Detection direction
- Confirm whether detection responsibility sits with the enterprise, mobile carrier, managed telecom provider, or another third party; most enterprises will not see SS7 node activity directly.
- Validate what DET0662-equivalent logic or provider monitoring exists for impersonated or inappropriate signaling requests, without assuming ATT&CK provides the detection details.
- Tune triage around unusual or unauthorized subscriber-location queries, especially when tied to protected personnel or sensitive travel, while accounting for legitimate carrier operations and roaming behavior.
- Document visibility gaps explicitly: endpoint EDR, MDM, and mobile OS logs may not show this behavior because the technique is network-signaling based.
- Correlate any provider alerts with executive protection, incident response, and privacy workflows rather than treating them as ordinary mobile malware alerts.
Mitigation priorities
- Prioritize M1014 Interconnection Filtering: obtain confirmation that carrier/operator interconnections filter and block inappropriate SS7 requests as described by CSRIC guidance.
- Include SS7 signaling-risk questions in telecom procurement, carrier reviews, and managed mobility due diligence.
- Maintain an incident response path for suspected mobile-location tracking that includes carrier escalation and preservation of relevant signaling evidence.
- For high-risk users, pair telecom assurance with operational controls such as travel-risk procedures and rapid number/device change processes where appropriate.
- Use compliance and risk reviews to capture what evidence the organization can and cannot obtain from providers.
Analyst notes and limits
This is a sub-technique of T1430 Location Tracking and replaces the revoked T1450 Exploit SS7 to Track Device Location. The supplied relationship to S0602 Circles indicates reported use of SS7 weaknesses by that software, including mobile-device location tracking, but this take does not infer current activity or customer exposure from that relationship alone.
ATT&CK provides no official detection text and no tactic for this object. Practical detection and mitigation depend heavily on carrier/operator telemetry and interconnection controls that may be outside enterprise control. Local provider contracts, available evidence, and incident escalation paths are required to assess real coverage.
Impersonate SS7 Nodes
Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.[1][2][3][4][5]
By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1430 | Location Tracking | This object subtechnique of Location Tracking. |
| Mobile | T1450 | Exploit SS7 to Track Device Location | Exploit SS7 to Track Device Location revoked by this object. |
Groups, software, and campaigns
S0602: Circles
Circles reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | bdcfe9b8a94b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Engel-SS7
Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.
Open source URL -
[2]
Engel-SS7-2008
Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.
Open source URL -
[3]
3GPP-Security
3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.
Open source URL -
[4]
Positive-SS7
Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.
Open source URL -
[5]
CSRIC5-WG10-FinalReport
Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.
Open source URL -
[6]
CSRIC-WG1-FinalReport
CSRIC-WG1-FinalReport
-
[7]
NIST Mobile Threat Catalogue CEL-38Open source URL
-
[8]
mitre-attack T1430.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.