STA1

STA1 is a persistent and technically sophisticated telecom surveillance threat actor identified by Citizen Lab in 2025 as one of two covert surveillance actors exploiting structural weaknesses in global mobile telecom signalling protocols for long-running, targeted location-tracking espionage. Citizen Lab described STA1 as operating long-running espionage campaigns and assessed its tradecraft as consistent with a centralized, multi-tenant commercial telecom surveillance platform supporting government intelligence activities, but did not directly attribute it to a specific government or organization. STA1 exploits weaknesses in SS7 and Diameter/4G signalling rather than software vulnerabilities, abusing telecom trust relationships and third-party interconnect access to masquerade as legitimate operator traffic. Its tradecraft includes aggressive routing manipulation, operator and hostname spoofing, rapid switching between SS7 and Diameter to identify firewall weaknesses, and manipulation of Diameter Origin-Host, Origin-Realm, and Route-Record fields to conceal origin and influence routing. Citizen Lab reported that STA1 can blend into legitimate roaming traffic through third-party telecom interconnect providers and uses routing mismatches against operator IR.21 filings as part of its operational footprint. A documented STA1 operation occurred on November 25, 2024 against a high-value “VVIP” subscriber at a Middle Eastern operator. The attack began with an SS7 sendRoutingInfoForSM reconnaissance attempt from SEATEL in Cambodia, followed by SS7 provideSubscriberInfo probes while cycling through operator identities across Cambodia, Mozambique, Sweden, Italy, Liechtenstein, and Uganda. STA1 then pivoted to Diameter Insert-Subscriber-Data-Request messages via Tango Networks in the UK and 019Mobile in Israel, later reverting to SS7 and escalating to anyTimeInterrogation commands. Citizen Lab also reported a spoofed Diameter combination using an AIS Thailand Origin-Host with a China Unicom Origin-Realm to steer traffic through alternate interconnect paths. Historical telemetry cited by Citizen Lab links STA1 to more than 500 observed location-tracking attempts dating back to at least 2022. Reported targeting included subscribers across Thailand, South Africa, Norway, Bangladesh, Denmark, Sweden, Malaysia, Montenegro, and multiple Sub-Saharan African countries. Recurring gateway or transit networks in the broader STA1 surveillance ecosystem included 019Mobile, Airtel Jersey/Sure, and Tango Networks. Known alias in the provided content: STA1.