Full Report
As the war between the United States and Iran reaches a ceasefire, U.S. Central Command (CENTCOM) has received reports of an alarming activity, the first known of its kind: a U.S. adversary using commercial location data to track and target U.S. forces in the Middle East. This likely refers to data on the latitude, longitude, and identifiers of a…
Analysis Summary
# Tool/Technique: Commercial Telemetry Exploitation (ADINT)
## Overview
This technique involves the acquisition and analysis of commercially available "big data"—specifically location telemetry derived from the advertising technology (AdTech) ecosystem—to track and target military personnel and government assets. Unlike traditional signals intelligence (SIGINT), this method leverages the legal data-selling market to bypass sovereign defenses and monitor mobile device identifiers, latitudes, and longitudes in near real-time.
## Technical Details
- **Type**: Technique / Operational Methodology
- **Platform**: Mobile Devices (iOS, Android), AdTech Ecosystems, Data Broker Platforms
- **Capabilities**: Precision geolocation, pattern-of-life analysis, device identification, and kinetic targeting integration.
- **First Seen**: Reported at scale during the U.S.-Iran conflict (ref: June 2026 reports via CENTCOM).
## MITRE ATT&CK Mapping
- **[TA0043 - Reconnaissance]**
- **[T1592 - Gather Victim Host Information]**: Specifically targeting mobile device identifiers (MAIDs/AAIDs).
- **[T1593 - Gather Victim Search Engine Information]**: Utilizing open-source and commercial databases.
- **[TA0007 - Discovery]**
- **[T1614 - System Location Discovery]**: Leveraging commercial GPS telemetry.
- **[TA0011 - Command and Control]**
- **[T1090.### - External Data Feeds]**: Use of 3rd party commercial data feeds to drive operations.
## Functionality
### Core Capabilities
- **Geofencing**: Monitoring specific sensitive locations (e.g., Forward Operating Bases) to identify devices entering or exiting the perimeter.
- **Device Pinpointing**: Extracting unique Advertising IDs to link a digital presence to a specific physical individual.
- **Aggregated Data Analysis**: Sifting through massive volumes of global location data to find anomalies or high-value movement patterns.
### Advanced Features
- **Pattern-of-Life (PoL) Mapping**: Analyzing historical data to determine an individual's home address, frequent contacts, and routine movements.
- **Cross-Platform Correlation**: Linking commercial location data with social media (OSINT) and imagery (GEOINT) to confirm identities.
## Indicators of Compromise
*Note: Because this technique relies on passive data acquisition from third-party brokers rather than direct infection, traditional "malware" IOCs are not applicable. Instead, "Indicators of Exposure" are used.*
- **Network Indicators**:
- Periodic outbound connections from mobile devices to known AdTech domains (e.g., `ads.doubleclick[.]net`, `adnxs[.]com`).
- **Behavioral Indicators**:
- Mobile devices transmitting high-frequency GPS updates via non-critical applications (weather apps, games with location permissions).
- Use of unique Mobile Advertising IDs (MAIDs) in proximity to sensitive sites.
## Associated Threat Actors
- **Islamic Republic of Iran (Expected)**: Specifically cited by CENTCOM as a likely adversary leveraging this data for targeting U.S. forces.
- **State-sponsored "Big Data" units**: General intelligence entities specializing in "Ad-based Intelligence" (ADINT).
## Detection Methods
- **Traffic Analysis**: Identifying applications that transmit GPS data unencrypted or to suspicious third-party aggregators.
- **Mobile Device Auditing**: Checking for excessive "Location Services" requests by third-party applications.
- **AdTech Monitoring**: Identifying when specific organizational IP ranges are being targeted or "bid on" in real-time bidding (RTB) markets.
## Mitigation Strategies
- **Technical Transition**: Implementing Broadside or similar measures to mask or randomize Advertising IDs on government-issued devices.
- **Hardening**: Mandatory use of "Locked-down" mobile profiles (MDM) that disable Location Services for all non-essential applications.
- **Policy**: Enforcing "no-phone" zones in sensitive operational areas (SCIF-like environments).
- **Network-Level Blocking**: Using DNS-based filtering to block connections to known data-broker endpoints and AdTech aggregators.
## Related Tools/Techniques
- **OSINT (Open Source Intelligence)**: Correlating social media posts with commercial location data.
- **ADINT (Advertising Intelligence)**: The specific subset of SIGINT focusing on the advertising ecosystem.
- **GEOINT (Geospatial Intelligence)**: Using satellite imagery to verify the physical structures where commercial headers originate.