1. Home
  2. Detection Strategies
  3. Detection of Impersonate SS7 Nodes

Detection of Impersonate SS7 Nodes

Technique Detected:  Impersonate SS7 Nodes | T1430.002

ID: DET0662
Domains: Mobile
Analytics: AN1753, AN1754
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1753

Defender observes anomalous signaling network queries targeting subscriber information associated with a device, including unexpected routing requests, location information exchanges, or node-origin inconsistencies indicative of SS7 signaling abuse. [1] The CSRIC also suggests threat information sharing between telecommunications industry members.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) TelecomLogs:SS7Signaling Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns
Network Traffic Flow (DC0078) TelecomLogs:MobilityEvents Unexpected location resolution events or abnormal subscriber tracking requests
Mutable Elements
Field Description
NodeIdentityDeviationThreshold Defines acceptable variance for signaling node identifiers
SubscriberQueryFrequencyThreshold Baseline-dependent threshold for excessive subscriber queries
GeographicRoutingDeviation Expected signaling path vs observed routing anomalies

AN1754

Defender observes anomalous signaling interactions involving subscriber identity or location resolution events associated with a device, including abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies indicative of SS7 abuse. [1] The CSRIC also suggests threat information sharing between telecommunications industry members.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) TelecomLogs:SS7Signaling Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities
Network Traffic Flow (DC0078) TelecomLogs:MobilityEvents Unexpected subscriber tracking or abnormal mobility/location resolution activity
Mutable Elements
Field Description
LocationQueryAnomalyThreshold Baseline deviation tolerance for location resolution events
SignalingPathDeviationThreshold Expected vs observed signaling routing paths
SubscriberResolutionFrequency Threshold for abnormal resolution or lookup behavior

References

  1. Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.