Can hostile actors geolocate people of interest?

Geolocating people of interest in real time by attacking their cell phones or IoT devices poses a major threat to companies and institutions

In his iconic novel 1984, George Orwell imagined a dystopia that warned: «Big Brother is watching you».

What if this idea were no longer so dystopian? A few days ago, ZeroDayRAT was made public, a malware that allows cybercriminals to take control of cell phones so that they can, among other things, geolocate people of interest such as big businessmen or political leaders.

To what end? To carry out fraud by impersonating them in an extremely realistic way, to spy on them and obtain confidential information thanks to their movements, or even to carry out actions such as burglaries in empty houses or attacks against the physical integrity of the people being monitored.

Cyber espionage against businesspeople and other individuals of interest is an increasingly dangerous threat to companies and public institutions. That is why it is essential for organizations to protect their leaders and prevent their communications from being intercepted or geolocated in real time.

Below, we will explore how malicious actors can geolocate individuals of interest and what can be done to prevent it.

Malware to take control of mobile phones, which is an extension of our bodies

The case of ZeroDayRAT shows that remote access Trojans (RATs) pose a significant threat to device security.

Why? This type of malware allows malicious actors to remotely gain full access to an infected device and remain undetected, thereby collecting large amounts of information.

In the case of ZeroDayRAT, attackers can gain significant access to Android or iOS mobile phones. In fact, this spyware is marketed via Telegram, and not only is the malicious program itself offered, but the criminal group that developed it also provides its customers with a panel for full remote control of the attacked mobile phones. This makes it possible to:

• Obtain information about the device: model, operating system, battery status, SIM card details, etc.
• Record the use of applications and SMS messages exchanged, which is relevant in terms of intercepting authentication codes.
• View notifications received and accounts registered on the device, allowing them to see the user’s email or ID, which could open the door to brute-force or credential-stuffing attacks.
• Geolocate people of interest with GPS access. In fact, it even offers the option to display the mobile phone’s real-time location on a Google Maps view and to view a history of the device’s locations since it was successfully infected.
• Obtain information about missed calls, WhatsApp messages, and login details for social media or Amazon accounts.
• Activate the front or rear camera and microphone to stream what the victim is doing.

In other words, not only can you geolocate people of interest, but you can also find out in real time what activities they are engaged in and even listen to their conversations with other people. In the best tradition of Orwell’s Thought Police.

Criminal groups are designing increasingly sophisticated spyware and promoting Malware-as-a-Service models to market it and enable its use by malicious actors without the knowledge or resources to develop it themselves.

Therefore, the proliferation of RATs that can go undetected and grant hostile actors full access is a threat that large companies and governments must be very aware of to prevent people of interest from being geolocated in real time and critical information from being accessed.

Attacks against telecommunications companies to listen to calls and geolocate people of interest

How else can cybercriminals geolocate individuals of interest? Through attacks on telecommunications.

In late 2024, it was made public that the China-linked Salt Typhoon group launched a campaign against U.S. telecommunications providers, allowing it to access telecommunications networks and use them to geolocate individuals of interest and even record phone calls.

Among the victims were the then president-elect and vice president-elect, Donald Trump and J.D. Vance, and senior officials in the Biden administration.

This campaign, deployed in other Western countries such as Germany, the United Kingdom, and Spain, demonstrates how advanced cyber threat groups linked to states can geolocate individuals of interest by subverting telecommunications networks’ security mechanisms.

After all, our cell phones receive and send signals to the nearest cell tower.

This means that if this connection data is accessed, it is possible to geolocate individuals of interest.

It should therefore come as no surprise that telecommunications is one of the critical sectors covered by the NIS2 directive and that it will have to undergo rigorous cybersecurity testing on a recurring basis and implement effective vulnerability management.

Attacks against personal IoT devices, such as medical equipment, can also allow people of interest to be geolocated

Another way in which cybercriminals can geolocate people of interest is by exploiting vulnerabilities in IoT devices and the internet or Bluetooth connections they use.

In this regard, attacks on IoT devices in the healthcare field, such as smart pacemakers, insulin pumps, CPAP machines, etc., are particularly sensitive. In addition to gaining access to medical data, hostile actors can geolocate individuals of interest through these devices.

For example, if a CPAP machine is in operation, the person using it will be at home sleeping. But if it is not, it is plausible that they are either not at home or are at home but not yet asleep.

Similarly, exploiting vulnerabilities in smart cars could also enable malicious actors to geolocate people of interest.

Therefore, when designing a security strategy for a company or institution, it is critical to consider the IoT devices used in both the business environment and the personal lives of people in positions of responsibility.

Thus, it is essential to perform Bluetooth security assessments to ensure there are no vulnerabilities in this connection that could allow malicious actors to identify devices, monitor their locations, and determine whether they are in operation.

The war in Iran puts the spotlight on the hacking of traffic camera systems

How were Israel and the United States able to assassinate Ali Khamenei, Iran’s supreme leader? According to a report in the Financial Times, Israel was able to hack into Tehran’s traffic camera system and thus build up a pattern of Khamenei’s life.

In this way, they were able to predict Khamenei’s movements and, with confirmation from a person, certify that the Iranian leader was in the military complex that was attacked.

This highly topical case shows that traffic surveillance systems in cities can be used to geolocate people of interest, and that it is possible to access images without being detected.

The use of eSIMs in the spotlight

Company executives, highly qualified professionals, political leaders… Many people travel regularly to different countries and use eSIMs to maintain their phone connectivity.

eSIMs are virtual SIMs, meaning you can activate a data plan in a country without changing your physical SIM card, making them extremely convenient.

However, research has found that many eSIM providers send user data through foreign telecommunications networks. For example, it was found that an eSIM from the Irish company Holafly routed connections through the China Mobile network.

As a result, the mobile phone received an IP address assigned to China Mobile in Hong Kong. Consequently, the device did not appear to be at its actual location but rather in Hong Kong.

According to researchers, this can lead to risks to the privacy of user information. This is because eSIM distributors obtain a wide range of data, including location information for mobile phones with an accuracy of 800 meters. This would make it easier for anyone with access to this data to geolocate people of interest.

Why hostile actors want to geolocate people of interest

Why do criminal groups want to geolocate individuals of interest? There is a wide range of motives and consequences for this type of action:

1. To carry out more sophisticated fraud. Consider, for example, CEO fraud. If a criminal group knows that a CEO is in a certain location, it can refine the deception aimed at a subordinate to impersonate the CEO. For example, by using a phone number from the country where they are located or using generative AI to make it more believable that the scammer is the CEO and is located where the professional knows they are.
2. Corporate or government espionage. Geolocating people of interest can be key to spying on their activities and finding out who they are meeting with. If, in addition, it is possible to listen to what they say, the espionage task is perfect. Consider, for example, the CEO of a company meeting with shareholders of a competing company. With this information in hand, it is possible to extort the victim, trade it, or use it to manipulate company stock prices and enrich oneself.
3. Theft and actions against the integrity of victims. On a more disturbing level, geolocating people of interest can be used to break into their homes or offices while they are away or asleep, or even to carry out attacks against them.

MDMs are key to protecting mobile phones, but they are not foolproof

Mobile Device Management (MDM) software enables companies and institutions to centrally manage security policies and configure and enforce restrictions on employees’ and executives’ mobile devices.

This type of program is essential for preventing users from unknowingly downloading malware, ensuring the security of installed applications, and detecting abnormal behavior on devices, such as applications that consume more battery power than they should, have excessive security permissions, or exhibit deficiencies in internet or Bluetooth connections.

However, MDM is not foolproof when it comes to protecting mobile devices. Without going into further detail, the European Commission suffered a data breach that affected its staff’s information. The EU executive detected a cyberattack against the infrastructure that manages corporate mobile devices.

Although it has not yet been clarified what happened, it is believed that malicious actors exploited vulnerabilities in Ivanti Endpoint Manager Mobile, a software used by numerous institutions and companies to enhance mobile security.

How to deal with attacks that seek to track the location of persons of interest in real time

What can we conclude from what we have just discussed? Geolocating persons of interest can have serious consequences for business leaders, political leaders, and their organizations.

Therefore, it is essential to prevent the execution of spyware on the mobile phones of persons of interest; to audit not only phones, but also IoT devices that allow a person’s location to be known; and to carry out tests to detect weaknesses that could be exploited by hostile actors to spy on their victims and geolocate them in real time.

To do this, it is essential to have advanced cybersecurity services. In short, cyber espionage against business leaders and politicians is a very dangerous trend in cybersecurity that can have particularly serious consequences for companies and institutions.

• Security audits:
  • Bluetooth, to ensure that there are no vulnerabilities related to this wireless connection standard.
  • Mobile phones and the configuration of MDM software are used to protect the mobile phones of people of interest to companies and institutions, to verify that the security configurations adopted are optimal, and to ensure there is no malware on their phones that allows people of interest to be geolocated and spied on without their knowledge.
  • IoT devices, to identify security issues in smart devices that could open the door to geolocating people of interest.
• Vulnerability management. Exploiting vulnerabilities in mobile phones or IoT devices can be crucial when geolocating people of interest.
• Social engineering testing. In many cyberattacks, the entry vector for malicious actors is the victims themselves, who take inappropriate actions as a result of successful social engineering. Therefore, it is essential to train executives in organizations to prevent them from unknowingly infecting their mobile phones with dangerous malware.
• Proactive incident response. Upon detecting any indication that hostile actors are seeking to geolocate persons of interest, it is critical to act as quickly as possible to understand the attack and orchestrate a response that will end the security incident and limit its damage.

In short, cyber espionage targeting businesspeople and politicians is a very dangerous trend in the field of cybersecurity that can have particularly serious consequences for companies and institutions.

In addition to gaining access to confidential conversations and valuable information and documentation, malicious actors may attempt to geolocate their victims to establish comprehensive surveillance over them and reap (geo)political or economic benefits.

Big Brother is not watching us yet, but hostile actors may try to do so.