Curated Signaling Cyber Threat Intelligence

HiddenArt

Analysis by Enea’s threat intelligence unit identified a previously unknown signaling threat actor, which was given the name HiddenArt. The assessment is that HiddenArt is a government-controlled Russian threat actor. The attacks involved attempts to track individuals’ locations and intercept their communications, using SS7.

HiddenArt used multiple methods to hide its real identity, including spoofing Global Titles. The signaling messages seemed to come from GTs linked to a group of African networks. The responses sent to these operators were exfiltrated somewhere along their route back.

Detection required correlating signaling data across multiple networks and examining recurring infrastructure and message patterns over time. Repeated use of specific Global Titles, message sequences, and routing paths enabled Enea’s analysts to associate the traffic with a single actor rather than unrelated incidents. This association helped differentiate malicious requests from normal roaming or interconnect signaling.

Description of how HiddenArt was identified

Why Knowing the Threat Landscape Matters

The investigation demonstrates why tracking threat actors is essential in signaling security. Individual malicious messages might look identical to legitimate signaling transactions when seen alone. Only by connecting activities over time, across infrastructure, and networks can operators detect coordinated surveillance efforts and apply targeted blocking rules.

We helped our customers block attacks from HiddenArt. The threat actor has kept conducting attacks and reconnaissance after the initial incidents, spoofing other networks and targeting new individuals. By tracking this threat actor’s activities, we have been able to detect and stop their attacks within the networks we protect.

SS7 Bypass Attack

Enea’s threat intelligence unit detected SS7 signaling messages that slightly deviated from the norm. Specifically, we noticed that the information in the TCAP segment was encoded in an unusual manner. Although this encoding did not formally violate protocol rules, it was uncommon. The goal was to confuse signaling firewalls so that when they couldn’t decide whether to block the message, they would allow it to avoid disrupting legitimate communication. As a result, the threat actor was able to access the location data of the targeted individuals.

Complete description of the attack

Why Expertise is Crucial for Actionable Threat intelligence

New techniques to bypass signaling firewalls regularly emerge. Enea’s discovery of the new SS7 bypass method highlights why deep expertise in signaling protocols, threat actor motives, and behavior is crucial. In this case, the encoding flexibility allowed attackers to manipulate message structures without explicitly breaking protocol rules. Recognizing this required understanding the nuances of SS7/TCAP and how these specific messages differed from typical encoding patterns. It also involved correlating with known surveillance tactics. Understanding why a threat actor might attack helps explain how they do it, which in turn aids in detecting these attacks. Without ongoing threat intelligence, this covert method likely would have gone unnoticed.

Simjacker

Enea’s threat intelligence team detected unusual binary SMS messages being sent across operator networks. These messages contained strange command-like structures, unlike typical signaling or over-the-air management traffic. This anomaly prompted a deeper investigation. Further analysis revealed that the binary SMS messages were used to trigger devices’ SIM cards to respond without the recipient’s knowledge, providing targets’ current location and other data to the attackers. Enea named this attack Simjacker and attributed it to a private surveillance company, likely working on behalf of a government or government-sponsored entity. When Enea discovered Simjacker, it represented a completely new attack method—more complex and sophisticated than anything seen before. Only through detailed threat intelligence efforts was it identified and mitigated. At the time of discovery, Enea estimated that around 1 billion mobile users could be vulnerable to it.

Full description of Simjacker and technical paper

Why Threat Intelligence is Crucial in an Evolving Threat Landscape

Simjacker illustrates how advanced mobile threats can persist unnoticed if no specialized threat intelligence monitors traffic. Because the attack leverages SIM‑resident functionality rather than malformed or policy‑violating signaling messages, the activity appears legitimate at the protocol layer. Enea identified the threat by monitoring unusual behavior and correlating signaling events over time, demonstrating the value of continuous, network‑level signaling threat intelligence.

The impact of this work was substantial. We worked with operators and SIM manufacturers to block active attacks and develop long-term defenses, enhancing security against SIM-based exploits. Our findings, shared through industry channels, led to updates in filtering rules, SIM applet configurations, and threat intelligence practices. By revealing Simjacker, Enea stopped an active surveillance campaign and contributed to improvements in mobile security.

Network Slicing Vulnerability

Our research into 5G network slicing security uncovered a fundamental flaw in the 5G core architecture that allowed malicious actors to gain unauthorized access across slice boundaries. We demonstrated how weaknesses in the design of virtualized network functions and slice isolation could enable attacks such as location tracking, data extraction, and denial of service against enterprise customers relying on dedicated slices.

Through detailed analysis of slice orchestration, inter‑slice communication, and virtualization layers, we identified how attackers could exploit these gaps before many operators had large-scale slicing deployments. Working with GSMA, operators, and standards bodies, we helped drive architectural updates and best practices to prevent cross‑slice exposure.

Read the full description and technical paper

Why Threat Intelligence Research is Crucial to Stay Ahead

The findings emphasize the importance of proactive and predictive threat research. Knowing how threat actors operate today and understanding their motives helps us anticipate how new technologies or features might be exploited and how future attacks could be planned.