{
	"id": "095736b8-5b34-49d3-99d8-7681dd2ce24f",
	"created_at": "2026-04-06T00:06:30.930345Z",
	"updated_at": "2026-04-10T03:35:56.673403Z",
	"deleted_at": null,
	"sha1_hash": "fedb2ebf21adce752d2c39a3728c32cea9563476",
	"title": "HiddenArt - A Russian-linked SS7 Threat Actor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 591672,
	"plain_text": "HiddenArt - A Russian-linked SS7 Threat Actor\r\nBy Cathal McDaid\r\nPublished: 2022-02-09 · Archived: 2026-04-02 12:34:29 UTC\r\nToday, we issued our newest White paper: Spectrum of Violence: Mobile Network -enabled Attacks in Hybrid\r\nWarfare . This paper is the first to cover how attacks over the mobile core network could be used as part of any\r\nhybrid warfare scenario. In this blog I am including some additional information on the research in the white\r\npaper.\r\nThe name HiddenArt\r\nHiddenArt is the name we have assigned to a Signalling threat actor (platform) that we believe with a high degree\r\nof confidence to originate from Russian network sources. We, like many other companies in the cyber security\r\narea, assign names to entities of interest after we have tracked and understood their behaviour for some period of\r\ntime. The name in this case is comprised of two parts: Unique Feature + Label.\r\nAs explained in the report, the 1st part – ‘Hidden’ is used because this is the unique feature we have seen this\r\nplatform use over the last 5+ years. All attackers using mobile signalling networks try to hide, but HiddenArt is\r\nunique in that it tries to make its source SS7 addresses (SCCP Global Titles or GTs) be as similar as possible to\r\nreal, non-malicious GTs used by legitimate mobile network nodes. Further information on the mechanisms of this\r\nhiding is later in this blog. The effectiveness of this is questionable for network that has more advanced protection,\r\nbut it may give an advantage for a mobile network with less advanced firewalls, as they may not be able to\r\ndifferentiate the traffic from similar malicious and non-malicious sources, and so be unable to block attacks. It\r\nalso makes attribution much harder as we will see.\r\nThe 2nd part – ‘Art’ – was selected not as a compliment, but as a likely origin/user. Art is the Old Irish/Gaelic\r\nword for Bear. It stems from the same Indo-European root as the Greek word that gives us Arctic ( arktos == bear\r\n/ arktikos == under the bear), referring to the land under the bear, meaning Ursa Major or Ursa Minor. We used the\r\nterm bear as we suspected from an early stage that this threat platform had Russian connections. How and why we\r\ndid this, bears looking at.\r\nAttributing Russian Direction/control and origin\r\nAs covered in our report, there were several pieces of evidence for us to assign an origin and user, below are three\r\nsources of information that we used:\r\nTargets\r\nA 1st piece was intelligence regarding the devices which were attempting to be tracked and /or their\r\ncommunications intercepted. We observed concentrated targeting on specific devices, some of which we later\r\nlearnt were linked to Russian political dissidents. We also observed tracking of individuals who we learnt were\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 1 of 8\n\nVIP individuals – that is individuals of importance in the economic/political sphere. This gave us a clue on the\r\nend-user, and the fact that this was not therefore likely to be one of the (rare) Organised Crime Groups using\r\nmobile signalling networks, but rather a Surveillance company or a state-level actor. However, this alone would\r\nnot be enough for source attribution, nor could it tell us what type of entity HiddenArt is.\r\nBehaviour\r\nA 2nd piece was the attack behaviour. First of all, we had to be certain the detected activity was actually\r\nmalicious. This is harder that casual observers may expect. The vast majority of unusual or suspicious activity in\r\nmobile networks is not actually malicious. Believing that it is, gives rise to situations where you must also believe\r\nthat Canada and Mexico are the biggest executor of mobile attacks on the United States in 2020[1], something that\r\nstrains credulity. Once you have eliminated the noise, and determined the malicious activity through analysis, we\r\ncan then categorise it. In this case we were able to establish with a high degree of certainty that the activities were\r\ndeliberate, that is, human operated attacks for location tracking and interception of personal communications. This\r\nobjective is squarely in the arena of surveillance companies and state-level actors. However, surveillance\r\ncompanies and state-level actors differ in their behaviour. Surveillance companies like Rayzone and Circles (who\r\nare associated with NSO Group) tend to have multiple customers and are often continuously active. This is\r\nbecause they have to be, as they have paying customers and need to meet their needs and requests. The\r\nsurveillance volumes here are consistent and in specific geographies very large.\r\nState-level actors tend to be more focused on specific individuals, as part of intensive operations to support wider\r\nintelligence activity. Afterwards, some of the specific attack nodes used in any instance by state-level actors may\r\nthen go dormant for weeks, months or even longer depending on their operational needs and objectives, the\r\nrelative availability of alternate vectors, and their evaluation of the targeting (security) environment. In our\r\nexperience both surveillance companies and state-level actors try to do a level of misdirection by targeting\r\ninnocent subscribers, but sooner or later they both have to revert to their primary target(s) as well as trying to\r\nminimise their presence on the signalling network. When we first detected HiddenArt it was engaged in attempted\r\nintensive targeting of a few specific individuals, before branching out to track additional targets. Our report\r\nincludes a diagram of malicious activity over several days which we have re-shown here:\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 2 of 8\n\nExample Activity of HiddenArt Threat Actor over multi-day period\r\nSince 2018 HiddenArt has been in a semi-dormant state, but it performs periodic network reconnaissance and/or\r\nrouting verification against mobile networks globally. This is the sign of a state-level actor which is ensuring that\r\nits reach and capability is sustained over time.\r\nTrue Source Analysis – Following the Bear\r\nThe 3rd , and most complex piece, is the origin of these attacks. This must be taken with caution, as using\r\nsignalling source information for attribution requires extensive experience, analysis as well as some stubbornness\r\nand luck. All packets routed in mobile signalling networks (3G, 4G, and 5G) have their origination point indicated\r\nas a source address. The country of the source address though, cannot be blindly assumed to be the same entity\r\nbenefiting from the attacks. It has been shown that entities who have been given access to mobile signalling access\r\nby Mobile Operators are selling this on to hostile actors. This is the reason why places like the Channel Islands\r\nhave appeared in the past to be among the biggest sources of malicious attacks in the world. But this is not the\r\nsame as attribution, – no one would claim that the Government of Jersey or Guernsey have a massive desire to\r\ntrack and intercept communications of people around the world. So even though attacks may come from a\r\nnetwork in a source country, that source country may not be the one benefiting.\r\nThis is complicated, by the little known fact that in 3G (SS7), and especially in 4G (Diameter) where these\r\nsignalling packets say they come from and where they actually physically come from could be two different\r\nthings. For HiddenArt, we detected that its purported initial origin point were a group of Mobile Operators in\r\nAfrica (Note: it has since branched out to use sources from other countries). However, it seemed very unlikely that\r\nthese countries themselves would be strongly interested in Russian targets. This raised the possibility that either\r\nThe HiddenArt attackers had access to signalling infrastructure in these countries, or – more interestingly – the\r\nattacks may be not truly originating from, these countries.\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 3 of 8\n\nTo answer this question, we had a discussion with the African Mobile Operator group being purportedly used as\r\nthe source. They were unaware of this activity, and could find no trace of any attacks being sent, but very\r\nstrangely, could see the responses to the attacks being received in their network. We focused on understanding the\r\nattacks first. While there were some suspicions that equipment compromise might have occurred at the start, it\r\nseemed unlikely that their equipment was being compromised on a long-term basis. This meant it seemed the\r\nattacks were not coming from Africa, but elsewhere. This is possible in theory in SS7 and Diameter networks\r\nbecause the connection between two mobile operators in countries is not normally direct – multiple 3rd party\r\nrouting companies called inter-operator carriers exist, and each one of those can carry, route and if they wish,\r\nredirect a SS7 or Diameter command. We see this redirection in real-life where there have been observed cases\r\nwhere a GT has been leased (rented) or reassigned from one country to another, with the consent of the Lessor.\r\nHowever, this did not seem to be happening in this case. So we had two outstanding questions:\r\nWhere were these attacks really coming from? And\r\nIf the responses were going to African networks, were the attackers getting the responses, and how?\r\n(assuming the attackers were not African Mobile Operators)\r\nValidating the Source\r\nA breakthrough for the first question came in the deployment of additional set of firewall logic and filtering rules\r\nin a customer site. The world’s mobile operators build their 2G/3G (SS7) security defence on a GSMA document\r\ncalled FS.11 – this is a set of guidelines and principals for detecting and blocking suspicious or unwanted\r\nsignalling activity. As the editor and a principal author of this document, I am very much conscious that anyone\r\nwithin the mobile operator community has access to this, and it will inevitability fall into hostile hands[2]. While\r\nthe FS.11 document contains a broad and extensive set of principles and guidelines, it is ultimately up to mobile\r\noperators to implement them, and they may naturally focus on the main defensive use-cases. This can give\r\nattackers the idea to develop attacks that they think may avoid defences or checks that Mobile Operators will put\r\nin place, especially if mobile operators just follow the letter of FS.11 SS7 Firewall rule recommendations, as\r\nopposed to going further and putting in detection logic to cover all of its the principals and guidelines.\r\nThe addition of these new rules allowed us to detect additional abnormal SS7 commands, related to the ongoing\r\nattacks, but this time some of them originated from Russian GTs. With this information, with our customer and\r\nwith the help of multiple inter-carriers we then traced the routing of the main ‘African -originated’ attacks across\r\nthe SS7 international interconnect links. This is quite difficult due to the need for multiple parties to be involved\r\nand the very short time period required to do it in. However, after a few attempts we found that these led back to\r\nRussian MTP3 origination point codes (OPCs). MTP3 is the SS7 layer beneath the SCCP layer, and is only valid\r\npoint to point. This showed that these packets did originate from Russian links, despite what the African source\r\nGT address said.\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 4 of 8\n\nIntercarrier Trace of Spoofed African Global Titles, from Russian Originating Point Code\r\nContinuing an Answer\r\nTheorized flow of SS7 Attack on Example Targeted Cuban Mobile Operator\r\nAnswering the 2nd question was harder. To recap this question – was the +7/Russian attacker – HiddenArt, getting\r\nback the response with all the info they wanted, if they said in the request that they were +2/African? Because this\r\nmeans the response would be sent to Africa networks only, not Russian network nodes.\r\nStrong evidence for a solution came from careful analysis, and the fact that sometimes the HiddenArt attacker\r\nneeded to have a conversation with the victim network. We mentioned already that the mobile operators in Africa\r\ntold us they definitely received the answers or Responses, even though they did not generate the questions or\r\nRequests. This meant that the only logical way the Attackers could have gotten the answer information if it had\r\nbeen copied – not redirected -along the chain somewhere.\r\nBut the issue was how to show this. After much research we came across a specific attack sequence involving an\r\nAfrican GT that gave us strong evidence for this. The below is the sequence diagram for a SS7 RestoreData attack.\r\nIn this, the HiddenArt attacker is asking the victim network to give information on a subscriber (information\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 5 of 8\n\nharvesting) . This information is sent in a sequence of InsertSubscriberData request commands, and each request\r\nmust be acknowledged with a response in order for the sequence to continue. The layer in which the control of this\r\nsequence is happening is called the TCAP layer – where BEGIN starts a sequence – or TCAP Transaction, a\r\nCONTINUE continues it, and a END stops it.\r\nSequence diagram of RestoreData/InsertSubscriberData Attack, showing two responses to one request\r\nWhat we observed was:\r\n1. HiddenArt (spoofing the African +2 network) sent a RestoreData in a TCAP BEGIN to the victim’s\r\nnetwork – we have selected Cuba as an example in this case. RestoreData is used to trigger a response with\r\nthe targeted subscribers detail, in effect , subscriber information harvesting.\r\n2. to which the Cuban network responded with an InsertSubscriberData Request with the subscriber’s victims\r\ndetails, in a TCAP CONTINUE, to be sent back to the +2/African network, containing the unique\r\ntransaction ID (TID) Z.The next point is very interesting, the victim’s network receives two responses to\r\nthis continue:\r\n3. The initial response is a TCAP Abort. In this we believe the real +2 network is saying it does not\r\nunderstand this sequence involving a ISD it just received (this is an Abort code of Unrecognized\r\nTransactionID )\r\n4. The 2nd response is a TCAP CONTINUE. In this we believe HiddenArt, spoofing the +2 network, is\r\nsaying it does understand the sequence involving a ISD it received, and is sending back an\r\nInsertSubscriberData Response , to keep the conversation going. This ISD response contains the unique\r\ntransaction ID (TID:Z) sent in step 2\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 6 of 8\n\nThis step 4 proves that the information sent by the Cuban network in step 2 is not lost from the attacker\r\nperspective, and is received by HiddenArt, otherwise they would not know and when to respond to the ISD in step\r\n2 with the right transaction info.\r\nWe picked this attack sequence to discuss because intriguingly, it also shows strong evidence that the data was\r\ncopied somewhere along the path. If you look in step 3 above, the spoofed network says it does not understand\r\nwhat it just received. What we believe is happening here is a potential race condition in steps 3 and 4, between the\r\nspoofed African operator and the HiddenArt attacker. We believe both the attacker network and the spoofed +2\r\nAfrican network get the ISD sent in step 2, and they are in a race to respond. Normally the African networks’ GTs\r\nselected to be spoofed by HiddenArt completely ignore the responses they receive, but in this case the response\r\nwas part of a transaction sequence, and the GT selected was similar enough to be answered with essentially a “I\r\ndon’t understand this conversation” response from a real network element in the +2 African operator. In SS7, the\r\nsame network element would not answer a sequence in two different ways, so the logical explanation is two\r\ndifferent network nodes got the ISD response information: one over the SS7 path (the spoofed +2xx001 node), and\r\none over some other copied means, and then both attempted to answer. We observed this response consistently\r\nwhen this particular GT was used, and not for other RestoreData attacks, using different spoofed source GTs. A\r\nwireshark capture of this attack is below.\r\nWireshark sequence of the RestoreData/InsertSubscriberData Attack, with two responses to one request\r\nAs for why HiddenArt would not use the same routing system for all attacks – it does not seem to have been\r\nalways reliable, especially when it comes to conversations with transactions sequences. On later dates over the\r\nsubsequent years we were able to detect intermittent attack activity from Russian SCCP Global Titles themselves,\r\nrelated to HiddenArt attacks. We attribute this to occasional failures or limitations of the spoofing/rerouting\r\nsystem, this happened about 1% of the time, but for particular attacks like the RestoreData example above,\r\nRussian GTs were used ~75% of the time. This is likely due to problems like TCAP timeouts or race conditions\r\nlike above when using a copying mechanism, as copying data from whatever source is slower than the SS7\r\nconnection.\r\nInterestingly, some of the Russian GTs used in these and other attacks are in the same range as the GTs reported\r\nby the Ukrainian SBU in their analysis of SS7 attacks in their country in 2014, further strengthening the potential\r\nlink. Further details of the specific GT ranges used are available to AdaptiveMobile SIGIL customers.\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 7 of 8\n\nStopping an Attack Before it Happens\r\nAt the time of these attacks, we worked with our customer to successfully detect and block them. We also shared\r\ninformation with the Operator Group whose source address ranges in multiple African countries were being\r\nspoofed, for them to take any action they could on their side. However the threat actor has maintained its\r\ncapability since, as its periodic reconnaissance activities bear witness. We have also observed the spoofing of\r\nMobile Operators outside of Africa by this threat actor in more recent years. Unfortunately, we were unable to\r\ndetermine the exact point at where we believe the data was copied from leaving the targeted network – this could\r\nbe any point in the intercarrier link or in the spoofed operator. However, this is secondary to having protection in\r\nplace in the targeted network. The revealing of the existence alone of this threat actor should encourage Mobile\r\nOperators around the world to confirm and improve their mobile network defences if needed, and the need for\r\nthreat intelligence and analysis of attacks they receive. In addition, we hope that making this information public\r\nnow, as well as the white paper, reduces the possibility of any future use of this system, or indeed any other\r\nsimilar system misusing mobile networks, regardless of their origin and purpose.\r\nMany thanks to the Data Intelligence \u0026 Threat Intelligence Unit teams within AdaptiveMobile Security as well as\r\nour Mobile Operator customers \u0026 Inter-carrier partners\r\n[1] 2020 – Percentage of attacks on US devices from Canada / Mexico – 4G: 48.50% 3G: 60.67%, Page 14 \u0026 16 –\r\nExigent Media Far from Home Report 2\r\n[2] For visual evidence of information being shared within the Operator community being leaked to attackers prior\r\nto public release, see our follow-up presentation on Simjacker in VB2021. Read our Frequently Asked Questions\r\nabout Simjacker as well.\r\nSource: https://www.enea.com/insights/the-hunt-for-hiddenart/\r\nhttps://www.enea.com/insights/the-hunt-for-hiddenart/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.enea.com/insights/the-hunt-for-hiddenart/"
	],
	"report_names": [
		"the-hunt-for-hiddenart"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fef4b383-3ac6-4902-915c-03c23a41ba69",
			"created_at": "2023-11-07T02:00:07.104634Z",
			"updated_at": "2026-04-10T02:00:03.409687Z",
			"deleted_at": null,
			"main_name": "HiddenArt",
			"aliases": [],
			"source_name": "MISPGALAXY:HiddenArt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775792156,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fedb2ebf21adce752d2c39a3728c32cea9563476.pdf",
		"text": "https://archive.orkl.eu/fedb2ebf21adce752d2c39a3728c32cea9563476.txt",
		"img": "https://archive.orkl.eu/fedb2ebf21adce752d2c39a3728c32cea9563476.jpg"
	}
}