abusesaffiliationarrow-downarrow-leftarrow-rightarrow-upattack-typeburgerchevron-downchevron-leftchevron-rightchevron-upClock iconclosedeletedevelopment-povertydiscriminationdollardownloademailenvironmentexternal-linkfacebookfiltergenderglobegroupshealthC4067174-3DD9-4B9E-AD64-284FDAAE6338@1xinformation-outlineinformationinstagraminvestment-trade-globalisationissueslabourlanguagesShapeCombined Shapeline, chart, up, arrow, graphLinkedInlocationmap-pinminusnewsorganisationotheroverviewpluspreviewArtboard 185profilerefreshIconnewssearchsecurityPathStock downStock steadyStock uptagticktooltiptwitteruniversalityweb

1 Sep 2023

Aubrey Belford, OCCRP & Stephen Dziedzic, ABC

Citizen Lab uncovers likely exploitation of Telstra-owned mobile network by private spies

"Telstra-owned Pacific mobile network likely exploited by spies for hire", 1 September 2023

A Telstra-owned mobile phone operator in the Pacific Islands has likely been used by private spy firms to track people on the other side of the world and steal their data, according to expert cybersecurity analysis.

Digicel Pacific's network resources appear to have been exploited to target unsuspecting mobile phone users in Africa in a type of attack that has been used in the past by spy-for-hire operations and state actors, according to analysis by the University of Toronto's Citizen Lab shared with the Organized Crime and Corruption Reporting Project (OCCRP) and the ABC.

The revelations come after Telstra purchased Fiji-based Digicel Pacific in July 2022.

The purchase was backed with more than $2 billion in Australian government financing amid fears that China's government could use the network — which operates in six Pacific countries — to carry out spying in the increasingly contested region.

But Citizen Lab's analysis suggests that Telstra has had to contend with another security threat on the network: for-profit surveillance companies.

Typically based in the West, such operations market their services to governments as a way to track criminals and terrorists.

Previous reporting, however, has found these services are frequently used to spy on journalists, activists, and political dissidents.

Messages, calls and location can be intercepted

Using data from the Mobile Surveillance Monitor project, Citizen Lab found that actors who are most likely private spies-for-hire have been attacking phones around the world by leasing or otherwise gaining the use of "global titles" belonging to Digicel Pacific.

Global titles are a kind of address on 3G networks, which can be used to send queries to phones connected to mobile providers anywhere on earth, said Gary Miller, a research fellow at Citizen Lab.

"The attacks seen in the data are blatant and clearly malicious," Mr Miller said.

The Citizen Lab data shows that although Digicel global titles were used, attackers bypassed the company's networks.

After OCCRP and the ABC shared Citizen Lab data with Telstra, the company responded by saying it had already terminated most of the Digicel Pacific global title leases.

The company added that it had cancelled an additional lease after it was brought to their attention by reporters.

Telstra "will be exiting the small number of remaining leases by April 2024, or earlier, if investigations reveal they are acting outside of their contractual obligations," it said.

Ongoing abuse of global titles

The abuse of Digicel Pacific global titles dates back to before Telstra's purchase of the network.

Last October, Telstra acknowledged that their global titles had been used, but said it had acted to "review and reduce" the leasing out of Digicel Pacific's global titles to third parties.

However, a recent Citizen Lab analysis shows Digicel Pacific's global titles continued to be abused after this point.

Suspicious queries surge after lull

The latest analysis shows that Digicel Pacific global titles from five countries — Fiji, Papua New Guinea, Samoa, Tonga, and Vanuatu — were used to lodge over 21,000 suspicious queries in the 12 months to July this year.

Last October alone saw 9,115 such queries, many of them designed to identify individual phones or to find their location.

After a brief lull, suspicious queries surged again in recent months. Nearly 922 likely attacks were recorded in June and July this year, according to the latest available data.

Mr Miller said more could have been done to thwart this activity.

Cancelling the leases is one thing, he said, but the addresses still need to be removed from global networks.