UAT-7290: Massive Attack on Telecommunications Infrastructure Across Multiple Continents

In a coordinated escalation of cyber threats, the telecommunications sector has become the target of an unprecedented assault designated as UAT-7290. This campaign, which unfolded across multiple continents including Europe, Asia, Africa, and North America, disrupted critical network operations for several major providers. Security researchers tracking the incident have highlighted its scale and sophistication, marking it as one of the most extensive disruptions to global telecom infrastructure in recent years.

The attack commenced in early phases targeting regional nodes but rapidly expanded into a multi-vector offensive. Initial indicators pointed to distributed denial-of-service (DDoS) floods overwhelming bandwidth capacities, followed by sophisticated exploits against signaling protocols and core routing systems. Affected networks reported anomalies in SS7 (Signaling System No. 7) and Diameter protocols, which are foundational to mobile and fixed-line communications. These vulnerabilities allowed attackers to intercept signaling traffic, potentially enabling location tracking, call interception, and SMS spoofing on a massive scale.

European telecom giants were among the first to sound alarms. Providers in Germany, France, and the United Kingdom experienced outages lasting from several hours to over a day in some instances. In Germany, a major operator faced cascading failures in its 4G/5G backhaul, leading to widespread service degradation for millions of subscribers. Similar disruptions rippled through France, where emergency services reported intermittent connectivity issues, raising concerns over public safety implications. The United Kingdom saw targeted hits on data centers hosting IMS (IP Multimedia Subsystem) cores, resulting in voice-over-LTE failures and international gateway blackouts.

The assault extended to Asia, with operators in India, Indonesia, and Japan registering heightened traffic anomalies. In India, rural networks were particularly vulnerable, exacerbating digital divides as voice and data services faltered during peak hours. Indonesian providers battled sustained volumetric attacks peaking at hundreds of gigabits per second, sourced from compromised IoT devices across Southeast Asia. Japan’s advanced 5G infrastructure proved resilient in parts but suffered precision strikes on edge computing nodes, disrupting enterprise connectivity.

Africa was not spared, with South African and Nigerian telecoms confronting the brunt of the offensive. MTN and Vodacom in South Africa reported SS7 exploits leading to fraudulent roaming charges and unauthorized international traffic rerouting. In Nigeria, Globacom and MTN Nigeria faced near-total outages in urban centers, attributed to malware payloads exploiting outdated billing systems. These incidents compounded existing challenges in under-resourced networks, where redundancy measures were minimal.

North American impacts, though less publicized initially, included disruptions to Canadian providers and select U.S. regional carriers. Rogers Communications in Canada logged unusual spikes in Diameter signaling abuse, mirroring tactics observed globally. U.S. entities tied to the campaign reported reconnaissance probes but contained major escalations through rapid mitigation.

Technical analysis reveals UAT-7290 as a hybrid operation blending volumetric DDoS with protocol manipulation. Attackers leveraged reflection amplification via Memcached, NTP, and DNS servers, amplifying traffic to terabit-per-second levels at peaks. Concurrently, zero-day exploits in vendor-specific firmware targeted HLR (Home Location Register) and VLR (Visitor Location Register) databases, enabling unauthorized subscriber data access. Command-and-control (C2) infrastructure was distributed across bulletproof hosting in Eastern Europe and Asia, utilizing fast-flux DNS to evade takedowns.

No definitive attribution has been made public, though IOCs (Indicators of Compromise) overlap with known threat actors specializing in telecom-targeted espionage. IP ranges traced to state-affiliated proxies suggest geopolitical motivations, potentially linked to ongoing hybrid warfare dynamics. The campaign’s naming as UAT-7290 stems from embedded artifacts in malware samples, possibly referencing a specific operation or toolset identifier.

Impacts extended beyond immediate outages. Financial losses from service disruptions are estimated in the tens of millions, with secondary effects on e-commerce, remote work, and critical infrastructure dependencies like smart grids and transportation systems. Regulatory bodies, including ENISA in Europe and national CERTs worldwide, issued alerts urging immediate patching of SS7/Diameter exposures and implementation of firewalling at signaling borders.

Mitigation efforts proved challenging due to the attack’s persistence. Telecoms deployed traffic scrubbing centers, rate-limiting on core interfaces, and behavioral analytics to detect anomalies. International collaboration via forums like the GSMA’s Fraud and Security Group accelerated threat intelligence sharing, leading to partial restorations within 48 hours for most victims. However, lingering risks persist, as reconnaissance activity continues against unpatched systems.

This incident underscores the fragility of global telecommunications in an interconnected ecosystem. Legacy protocols like SS7, designed decades ago without modern security, remain prime targets despite available upgrades to Diameter with IPSec. Industry experts advocate for accelerated migration to 5G Standalone cores with built-in security slices and zero-trust architectures. Operators are also urged to enhance supply chain vetting for CPE (Customer Premises Equipment) and RAN (Radio Access Network) components.

UAT-7290 serves as a stark reminder of the evolving cyber threat landscape, where nation-state capabilities converge with cybercrime opportunism. As networks densify with IoT and edge computing, proactive defenses must prioritize resilience over reaction. Stakeholders across continents are now reevaluating incident response playbooks, emphasizing cross-border cooperation to counter future campaigns of this magnitude.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.