This is *exactly* why a) vulnerabilities at the infrastructure layer are so difficult to guard against; b) why cyber risk assessments need to be taking this layer into account, even with trusted vendors. And c) cybersecurity needs to be a much bigger part of internet standards. https://twitter.com/jsrailton/status/1338856148921843712

At the heart of the allegations are signalling messages sent from China Unicom to US subscribers while traveling abroad that can be exploited to track and monitor phones and comms.

Researcher Gary Miller says tens of thousands of US mobile users compromised between 2018 & 2020.

In 2018 China conducted the most surveillance attacks against US mobile subscribers over 3G & 4G--most of which were routed through state-owned teleco China Unicom, pointing w/high likelihood to *a state-sponsored espionage campaign.* via @skirchy / Miller https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks

These attacks are another example of the PRC's bulk collection strategy for data and information. Amass it all, sort it later is a powerful tool.

Just as tech companies have seized on the value of collecting data for algorithms and influence, so too has the PRC state.

And for more detail on the unfortunately well-known #SS7 vulnerabilities exploited, see this thread from @jsrailton and excellent work @citizenlab -- always best in class! https://twitter.com/jsrailton/status/1333848872872013824?s=20

One final comment. Too often is cybersecurity hoisted on the shoulders of those least-resourced to mount a serious defense -- the average consumer. These attacks make clear that individuals can take steps (eg 2FA) and still be victims. A bigger picture defense is still needed.