App Image App Image

Cellular Network Attack

9 months ago

Cellular network attack on a high-level Tibetan functionary.Mar 14, 2025

TLP: WHITE (Indicates that this information is the least restrictive classification, and can be shared freely with the public without limitations.)

BackgroundOn March 14, 2025, we were contacted with a request from a high-level Tibetan functionary, who reported receiving multiple abnormal roaming messages from his cellular provider stating “Welcome to China”.Summary

The combination of signal loss, call interference, and multiple “Welcome to China” messages points to a sophisticated attack rather than a benign error or coincidence.

During our incident response, we analyzed the victim’s phone logs and traffic data, finding no suspicious activity or anomalies to suggest the phone was compromised.

Initially, our hypothesis was that the victim phone was targeted with a SIM cloning attack, but after consulting with an expert, we realized it was not a SIM cloning attack but a Cellular Network Attack.

The attacker likely obtained the victim’s phone number and used advanced cellular network methods(such as IMSI catcher1 or using IPX operator2 and HLR query3) to identify the target’s IMSI4 number.

The attacker could have gained access to the victim’s phone by manipulating device network registration using SS75 and DIAMETER6, or traffic steering techniques to track the victim’s device’s location, monitor its movement, and identify its contacts.

Investigation Process,

As we conducted our investigation, the initial concern that emerged was the potential compromise of his phone. We asked the victim a few questions, including his thoughts on why he might have received such messages, along with additional inquiries such as whether he experienced loss of cellular signal, background noise during calls, and the specific “Welcome to China” SMS messages from his cellular provider.We came to know that he has experienced abnormal activities with his mobile phone which are as follows:

Loss of cellular signalBackground noise during callsMultiple “Welcome to China” SMS message from the cellular provider

Loss of cellular signal: The device experienced signal drops, which could indicate network congestion or poor network coverage. The signal loss alone is not conclusive but paired with other indicators, suggests a coordinated issue beyond typical network fluctuation.

Background noise during call: Unexplained noise during calls could come from poor signal quality, device malfunction, man-in the middle attack or Cellular Network Attack.

“Welcome to China” SMS messages: Three SMS messages were received, each claiming the device had entered China. This is a standard roaming notification from a cellular provider when a device is registered with a foreign network.

Fig.1 SMS message received by the high level Tibetan functionary

Initial Hypothesis

Physical proximity to ChinaCellular provider errorSIM Cloning/attackCellular Network AttackDetailed analysis:

Proximity to China: If the device user was near a Chinese border(e.g., Ladakh, Arunachal Pradesh, etc), their phone could have briefly connected to a Chinese cell tower or the person was actively traveling in China. This scenario was quickly ruled out after discussing it with the person who had not recently visited a border area.

Cellular Provider Error: While a system malfunction at the cellular network provider could theoretically trigger erroneous roaming messages, this was deemed unlikely. The generation of three such messages within a short time frame is improbable under normal error conditions. Welcome SMS are typically sent when a user’s home network detects a new registration event corresponding to the Mobile Country Code (MCC) and Mobile Network Code (MNC) of a roaming partner. In the case of a genuine network error, multiple users would typically be affected, not just a single device. However, only the victim’s phone received the Welcome SMS messages, with no indication of others experiencing similar roaming alerts. Furthermore, when the victim contacted the cellular provider, customer service stated they would escalate the issue to higher authorities. Had there been a system malfunction, the provider would likely have acknowledged the issue and notified the user. Since this did not occur, a provider-side error was ruled out.

SIM Cloning: SIM Cloning involves duplicating SIM card identifiers(IMSI, Ki) to intercept communications. The “Welcome to China” messages could indicate the cloned SIM registering on a Chinese network. However, SIM cloning is a static condition and would likely not result in intermittent network access or a user receiving a Welcome SMS message.

Cellular Network Attack: The victim symptoms stating they received multiple ”Welcome to China,” messages (likely a roaming Welcome SMS message), combined with signal loss and service interference indicates a manipulation of mobile network registration caused by manipulation of device network registration using either SS7 and DIAMETER, or traffic steering techniques.

How did the Cellular Network Attack occur?

IMSI number is essential for Cellular Network Attack because it serves as the primary identifier for a subscriber within a mobile network.During our analysis of Cellular Network Attack and how the attacker might have got access to the IMSI number, we explored several attack vectors and the following scenarios:

physical access to the devicephone compromiseCellular Network Attack

During the investigation, we learned that the individual’s phone had never been accessed by a third party, as he was digitally savvy and adhered to security best practices. As such, we ruled out scenario A.

While investigating whether the phone was compromised, we performed a log analysis using MVT (Mobile Verification Toolkit) tools to detect any signs of a Pegasus attack.7 Additionally, we captured the phone’s network traffic with WireGuard and analyzed it, finding no evidence of a phishing attack, malicious traffic, or Pegasus infection. Therefore, we ruled our scenario B.

Through the process of elimination, only scenario C (Cellular Network Attack) was left for us to investigate more on. It is clear that the attackers were using a Cellular Network Attack using the IMSI number of the victim’s phone. In terms of the how the attackers were able to determine the IMSI, it could have been done through the following two methods:

The attacking network identifies the location of a target IMSI (or IMSIs) using multiple possible techniques including a fake or portable base station (if outside of the attacker network footprint).Alternatively, a target user IMSI and country location can be acquired using other network procedures, such as through an IPX operator or by using an HLR query.

Possible Cellular Network Attack techniques used on target victims phone:

(1) Traditional Signaling Attack Using traditional 3G and 4G network vulnerabilities, an attacking network can fake and/or manipulate user registration, fork/split phone calls, redirect communication and deny service.

Fake Registration - The attacker uses the target’s IMSI to send user authentication messages to intercept device authentication messages (for use in fake base stations) or registration messages to temporarily redirect communications.Eavesdropping - Using call forking signaling technique the attack could intercept or listen to a target’s communication, such as VoLTE phone calls.Denial of Service - A fake registration attempt can have the temporary effect of knocking the target user off the network or service degradation. Alternatively, a signaling application can use signaling to temporarily deny registration or repeatedly knock a device off of the network.

(2) Network Traffic Steering

This is an advanced technique used by attackers to manipulate Network Traffic Steering, aka Anti Steering of Routing (Anti-SoR), Seamless Capture of Roaming (SCAP). The attacker uses multiple Anti-SoR techniques to capture all, or a single network registration to force a user’s device to register onto an adversary network.

Steering Circumvention Technique – An attacking network application fakes the target user IMSI and sends repeated location update (registration) messages to force the target user’s home network operator to accept it. Typically, networks will allow a user to register to a non-preferred network after a certain number of attempts (this is network configurable parameter).

Kidnap Retention Technique (basic) – The attacking network will send fake location update messages from the user IMSI in response to the target user’s network sending a periodic cancel location message (this may happen based on different conditions), thus preventing the user from leaving the network.

Kidnap Retention Technique (advanced) – This advanced technique from the attacking network uses a combination of messages in succession designed to influence the target user’s network to retain a user’s registration on the attacking network.

Original Article
  1. Homepage
  2. Tech
  3. Cellular Network Attack

Might like

RightsCon 2026 in Zambia Cancelled Under Pressure from China

RightsCon 2026 in Zambia Cancelled Under Pressure from China...

1 week ago
From Stuxnet to Operation Epic Fury: The China-Iran Intelligence Nexus

From Stuxnet to Operation Epic Fury: The China-Iran Intellig...

3 weeks ago
Beijing Codifies Repression of Overseas Activists

Beijing Codifies Repression of Overseas Activists

4 weeks ago
The Rising Threat of AI Voice Scams: What Every Tibetan Needs to Know

The Rising Threat of AI Voice Scams: What Every Tibetan Need...

1 month ago
Information Warfare and Its Impact on Tibetan Leadership and Social Cohesion

Information Warfare and Its Impact on Tibetan Leadership and...

2 months ago
New EU Report Urges More Aggressive Action Against Transnational Repression

New EU Report Urges More Aggressive Action Against Transnati...

3 months ago