An Australian-owned mobile phone operator in the Pacific Islands has likely been used by private spy firms to track people on the other side of the world and steal their data, according to an expert cyber security analysis.
The revelations come after Australian telecommunications operator Telstra purchased Fiji-based Digicel Pacific in July 2022. The purchase was backed with US$1.33 billion in Australian government financing amid fears that China’s government could use the network — which operates in six Pacific countries — to carry out spying in the increasingly contested region.
But Citizen Lab’s analysis suggests that Telstra has had to contend with another security threat on the network: for-profit surveillance companies. Typically based in the West, such operations market their services to governments as a way to track criminals and terrorists. Previous reporting, however, has found these services are frequently used to spy on journalists, activists, and political dissidents.
Using data from the Mobile Surveillance Monitor project, Citizen Lab found that actors who are most likely private spies-for-hire have been attacking phones around the world by leasing or otherwise gaining the use of “global titles” belonging to Digicel Pacific.
Global titles are a kind of address on 3G networks, which can be used to send queries to phones connected to mobile providers anywhere on Earth, explained Gary Miller, a research fellow at Citizen Lab. These queries can be used to locate a person’s phone, or intercept their messages and calls.
“The attacks seen in the data are blatant and clearly malicious,” Miller said.
Once spy operations have obtained a global title and registered it on international phone networks, they can run their attacks using free software and hardware that costs as little as $200. The Citizen Lab data shows that although Digicel global titles were used, attackers bypassed the company’s networks.
Leasing global titles from operators and routing them through international exchanges allows attackers to mask their identities, Miller said.
After OCCRP and the ABC shared Citizen Lab data with Telstra, the company responded by saying it had already terminated most of the Digicel Pacific global title leases. The company added that it had canceled an additional lease after it was brought to their attention by reporters.
Telstra “will be exiting the small number of remaining leases by April 2024, or earlier, if investigations reveal they are acting outside of their contractual obligations,” it said.
The abuse of Digicel Pacific global titles dates back to before Telstra’s purchase of the network. It was first uncovered by journalists from Lighthouse Reports, a European investigative newsroom, while reporting on Italian surveillance company Tykelab last year. Digicel Pacific global titles were also found to have been used by a for-profit spying operation run out of Switzerland in a joint investigation by Lighthouse Reports and partners this May.
The previous investigations did not publicly name Digicel Pacific.
Among those found in earlier reporting to have been targeted using Digicel Pacific’s global titles was a Mexican journalist, Fredid Román Román, whose phone was pinged for location data in the 24 hours before he was shot dead in 2022.
Approached by Lighthouse Reports last October, Telstra acknowledged that their global titles had been used in Mexico, but said it had acted to “review and reduce” the leasing out of Digicel Pacific’s global titles to third parties.
But Citizen Lab’s analysis shows Digicel Pacific’s global titles continued to be abused after this point.
The latest analysis shows that Digicel Pacific global titles from five countries — Fiji, Papua New Guinea, Samoa, Tonga, and Vanuatu — were used to lodge over 21,000 suspicious queries in the 12 months to July this year. Last October alone saw 9,115 such queries, many of them designed to identify individual phones or to find their location.
After a brief lull, suspicious queries surged again in recent months. Nearly 922likely attacks have been recorded in June and July this year, according to the latest available data.
Miller said more could have been done to thwart this activity. “It doesn’t appear that they’ve taken the proper steps,” he said. Canceling the leases is one thing, but the addresses still need to be removed from global networks.
“What should have happened is that all these leased global titles should have been just pulled out. But we didn’t see that.”
Although Telstra’s acquisition of Digicel Pacific was widely seen as a move to prevent Chinese spying, Beijing has in fact been documented elsewhere in the world using the type of attacks now being facilitated by the network, Miller said.
“If it’s easy for people to lease global titles, it’s just as easy for China as it would be for any other adversary,” Miller said, while cautioning that there is not enough data to pin the current attacks on any particular state or actor.
Australia’s Department of Foreign Affairs and Trade referred reporters’ questions to Telstra, but added that the company “brings strong capabilities to the Digicel Pacific business and has the necessary experience and expertise to enhance the security and reliability of Digicel Pacific’s networks.”.