Iranian-linked actors used regional mobile-phone networks to track the locations of U.S. military personnel and contractors across the Middle East [1, 2].

This surveillance highlights a critical vulnerability in how military personnel use commercial technology in conflict zones. By bypassing traditional hacking methods, these actors gained real-time intelligence on troop movements without needing to compromise individual device security.

The operations occurred in the weeks leading up to a U.S.-Israeli military operation against Iran in late February 2024 [2]. The tracking continued following Tehran's missile and drone retaliation in March 2024 [2].

Investigators found that the actors exploited SS7 signaling, the protocol used by networks to route calls and texts, and commercial location-data services [1, 2, 3]. This allowed the operators to pinpoint the exact locations of personnel by leveraging the infrastructure of regional mobile providers [1, 2].

These activities were likely carried out by Iranian intelligence or affiliated groups [1, 2]. The goal was to obtain tactical and strategic intelligence to support Iranian objectives during a period of heightened tensions with Washington [1, 3].

Security experts said that the enemy may not need to hack a phone's software to track it [3]. Instead, they can use the network's own signaling systems to identify where a device is registered, turning a standard communication tool into a tracking beacon.

Iranian-linked actors exploited SS7 signaling and commercial location-data services

This incident underscores a shift in electronic warfare where the vulnerability lies not in the device, but in the global telecommunications infrastructure. The use of SS7 exploitation allows state actors to monitor movements with high precision, suggesting that standard mobile device security is insufficient for personnel operating in high-threat environments.