BRIDGETOWN — China appears to have used mobile phone networks in the Caribbean to surveil United States mobile phone subscribers as part of its espionage campaign against Americans, according to a mobile network security expert who has analyzed sensitive signals data.
The findings paint an alarming picture of how China has allegedly exploited decades-old vulnerabilities in the global telecommunications network to route “active” surveillance attacks through telecommunications operators, as first reported in The Guardian.
The alleged attacks appear to be enabling China to target, track, and intercept phone communications of U.S. phone subscribers, according to research and analysis by Gary Miller, a Washington state-based former mobile network security executive.
Miller, who has spent years analyzing mobile threat intelligence reports and observations of signaling traffic between foreign and U.S .mobile operators, said in some cases China appeared to have used networks in the Caribbean to conduct its surveillance.
At the heart of the allegations are claims that China, using a state-controlled mobile phone operator, is directing signaling messages to U.S. subscribers, usually while they are travelling abroad.
Signaling messages are commands that are sent by a telecommunications operators across the global network, unbeknownst to a mobile phone user. They allow operators to locate mobile phones, connect mobile phone users to one another, and assess roaming charges. But some signaling messages can be used for illegitimate purposes, such as tracking, monitoring, or intercepting communications.
U.S. mobile phone operators can successfully block many such attempts, but Miller believes the United States has not gone far enough to protect mobile phone users, who he believes are not aware of how insecure their communications are.
Miller focused his research on messages that he said did not appear legitimate, either because they were “unauthorized” by the GSMA, an international standard-setting body for the telecommunications industry, or because the messages were sent from a location that did not match where a user was traveling.
Miller recently left a job at Mobileum, a mobile security company that tracks and reports threats to mobile operators, to start Exigent Media, a cyberthreat research and media firm. He said he was sharing his findings with the public to help expose “the severity of this activity” and to encourage the implementation of more effective countermeasures and security policies.
“Government agencies and Congress have been aware of public mobile network vulnerabilities for years,” he told the Guardian. “Security recommendations made by our government have not been followed and are not sufficient to stop attackers. No one in the industry wants the public to know the severity of ongoing surveillance attacks. I want the public to know about it.”
At Mobileum, Miller was vice-president of solutions for network security and risk products, a role he said gave him access to information about threats on mobile networks around the world.
Miller said that he found that in 2018 China had conducted the highest number of apparent surveillance attacks against US mobile phone subscribers over 3G and 4G networks. He said the vast majority of these apparent attacks were routed through a state-owned telecoms operator, China Unicom, which he said pointed in very high likelihood to a state-sponsored espionage campaign.
Overall, Miller said he believed tens of thousands of U.S. mobile users were affected by the alleged attacks emanating from China from 2018 to 2020.
“Once you get into the tens of thousands, the attacks qualify as mass surveillance, which is primarily for intelligence collection and not necessarily targeting high-profile targets. It might be that there are locations of interest, and these occur primarily while people are abroad,” Miller said. In other words, Miller said he believed the messages were indicative of surveillance of mass movement patterns and communication of US travellers.
Miller also found what he called unique cases in which the same mobile phone users who appear to have been targeted via China Unicom also appear to have been targeted simultaneously through two Caribbean operators: Cable & Wireless Communications (Flow) in Barbados and Bahamas Telecommunications Company (BTC).
The incidences, which occurred dozens of times over a four to eight-week period, were so unusual that Miller said they were a “strong and clear” indicator that these were coordinated attacks.
At the same time, Miller said that in 2019 most apparent attacks against US subscribers over the 3G network emanated from Barbados, while China significantly reduced the volume of messages to US subscribers.
“China reduced attack volumes in 2019, favoring more targeted espionage and likely using proxy networks in the Caribbean to conduct its attacks, having close ties in both trade and technology investment,” Miller said.
It is not clear whether any of the telecoms operators would have knowingly been involved in allegedly suspicious activity. In a statement, China Unicom said the company “strongly refutes the allegations that China Unicom has engaged in active surveillance attacks against U.S. mobile phone subscribers using access to international telecommunications networks.”
Meanwhile, the Chinese Embassy, in a statement, said: “It is not surprising to see another story on China’s network spying fabricated by an American expert. It’s also another attempt of U.S. to sow discord between China and Caribbean countries.
“Some western newspapers are really fans of such stories, even though they never reflect facts or show evidence.”
It added: “China and Caribbean countries have all along maintain friendly relations and mutual beneficial cooperation. We believe that after recognizing the truth, most countries will take an objective and impartial stand and make independent judgments. We are confident that the cooperation of the two sides will stand the test of time.”
Miller said he believed it was possible that a China entity directly or indirectly leased a network address from the Caribbean operators, allowing the messages to be coordinated and routed via the region’s telecoms firms without their knowledge. A spokeswoman for Cable & Wireless, which owns Flow in Barbados and BTC, declined to respond to the Guardian’s questions.
A spokesperson for the Chinese embassy in Washington said: “The Chinese government’s position on cybersecurity is consistent and clear. We firmly oppose and combat cyber-attacks of any kind. China is a staunch defender of cybersecurity.”
But the Federal Communications Commission in April issued an order warning that it might shut down the US operations of China Unicom and other China-controlled entities. At the time, Ajit Pai, the FCC chairman, said the commission was concerned about the companies’ vulnerability to the “control of the Chinese Communist party”.
China Unicom responded to the FCC, saying it had a good record of compliance and had shown a willingness to cooperate with US law enforcement agencies. In its statement to the Guardian, China Unicom added that its U.S. subsidiary operated “independently” in the United States and in accordance with U.S. laws. “China Unicom (Americas) has never been accused of misconduct and has never knowingly been the subject of investigation by any U.S. law enforcement agency,” it said.
“We have an illusion of security when we talk on our mobile phones,” said James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS). “People don’t realize that we are under a sustained espionage attack on anything that connects to a network, and that this is just another example of a really aggressive and pretty sophisticated campaign.”