STA2

STA2 is a surveillance threat actor identified by Citizen Lab as one of two distinct actors, alongside STA1, operating long-running mobile espionage campaigns since at least 2022. Citizen Lab did not directly attribute STA2 to a specific government or organization, but assessed the activity as likely state-sponsored intelligence operations supported by commercial surveillance platforms. The reporting also states that STA2 showed strong technical fingerprints linking it to Fink Telecom Services of Switzerland. STA2 uses a technically distinct mobile surveillance approach that combines network-level signalling abuse with device-level exploitation. In early 2025, including an observed campaign on February 11, 2025, STA2 used SS7 probing together with a SIMjacker-style malicious binary SMS exploiting the SIM card’s S@T Browser. The actor sent specially crafted OTA SMS messages with TP-PID=127 and TP-DCS=22 to invoke TLV bytecode commands on the SIM card, silently collect location-related data including Cell ID, LAC, MCC, and MNC, and exfiltrate that data via an invisible SMS to an SMSC in Liechtenstein identified as FL1. The activity was described as zero-click and leaving no visible trace or requiring user interaction. Observed STA2 tradecraft includes SS7 provideSubscriberInfo probing through Telenabler AB in Sweden; delivery of an SS7 mt-ForwardSM carrying the malicious binary SMS; use of a spoofed SMS sender address mapped to an Airtel Rwanda Global Title range; and follow-on Diameter probing and location-query activity. After the SIM exploitation attempt, STA2 pivoted to Diameter Authentication-Information-Request messages with malformed Visited-PLMN ID 0000 and then to Insert-Subscriber-Data-Request queries. The actor spoofed Diameter identifiers associated with operators in Poland, Switzerland, Morocco, Namibia, Lesotho, and Mozambique, and consistently used the Route-Record host dra1.je211.epc.mnc003.mcc234.3gppnetwork.org, indicating a fixed entry path through Jersey-Airtel infrastructure. Citizen Lab reported that STA2 logged more than 15,700 location-tracking attempts dating back to October 2022. The actor’s operations fit a broader surveillance ecosystem abusing weaknesses in SS7 and Diameter/4G trust relationships, bypassing telecom firewalls, blending into legitimate roaming traffic through third-party interconnect providers, and exploiting weak screening and authentication in global telecom signalling networks.