Listen to the article
Iran’s largest mobile operator and digital company, MTN Irancell, maintains roaming agreements, submarine cable links and SS7 signalling connections with every major Gulf telecommunications carrier hosting a US military base. Its majority owner, IEI, manufactures the missile guidance systems that struck those bases on 28 February 2026. This is the architecture of cyber-enabled kinetic targeting — and the listed MTN Group at its centre.
On 28 February 2026, Iran launched retaliatory missile and drone strikes against the headquarters of the US Fifth Fleet in Bahrain, Al Udeid Air Base in Qatar, Ali Al-Salem Air Base in Kuwait, military installations in Saudi Arabia and the United Arab Emirates, and targets across Israel. The strikes demonstrated a degree of precision against fixed military infrastructure that demands scrutiny of how the Islamic Revolutionary Guard Corps (IRGC) acquired and refined the targeting data necessary to guide its weapons to their destinations.
This article examines a dimension of that targeting architecture that has received almost no attention: the role of MTN Irancell, Iran’s largest digital company and second-largest mobile telecommunications network, as a standing signals intelligence platform whose legitimate interconnect relationships with Gulf telecommunications carriers provide the IRGC with access to the signalling networks that serve every US military installation in the region. The analysis draws on publicly documented SS7 protocol vulnerabilities, confirmed instances of Iranian exploitation of telecommunications infrastructure for military targeting, the corporate and ownership structure of MTN Irancell, and the technical capabilities of its majority shareholder, Iran Electronics Industries (IEI).
The signalling architecture: how mobile networks communicate
Every mobile operator in the world is connected through standardised signalling protocols that enable subscribers to make calls, send messages and use data services when roaming outside their home network. For second and third generation (2G and 3G) networks, this signalling is carried by Signalling System 7, or SS7, a set of protocols developed in the late 1970s and standardised by the International Telecommunication Union in 1980. For fourth and fifth generation networks (4G and 5G), the equivalent function is performed by the Diameter protocol. Both systems remain in active use, and most operators maintain SS7 connectivity to support legacy roaming and fallback.
The fundamental design assumption of SS7 was that all participants in the network could be trusted. The protocol was created for a closed ecosystem of state-owned or regulated monopoly carriers and has no built-in authentication or encryption. Any network node with a valid “Global Title”, a unique SS7 address, can send signalling messages that will be accepted by other nodes as legitimate. This means that any mobile operator with SS7 access can, in principle, request the location of any subscriber on any other connected network, intercept text messages, redirect calls, and track movement patterns across international borders.
When a subscriber roams from their home network onto a foreign carrier, the SS7 system performs several functions. The visitor’s Home Location Register (HLR), maintained by their home operator, is updated with the identity of the foreign network. Calls and messages are routed back through the home network, and billing information is exchanged. Crucially, the foreign network’s Visitor Location Register (VLR) records which cell tower the subscriber is connected to, providing location data accurate to within a few hundred metres in urban areas. This information is routinely exchanged between networks as part of standard signalling operations.
The security implications of this architecture have been extensively documented. The Electronic Frontier Foundation has warned that SS7 “was not built with any security protocols, such as authentication or encryption, and has been exploited by governments, cyber mercenaries and criminals to intercept and read SMS messages”. In 2024, a senior official at the US Cybersecurity and Infrastructure Security Agency (CISA) reported to the Federal Communications Commission that SS7 and Diameter vulnerabilities had been used in “numerous attempts” to acquire location data, intercept voice and text messages, and deliver spyware to targets in the United States. In December 2024, US Senator Ron Wyden released information from the Department of Homeland Security identifying China, Russia, Iran and Israel as the primary countries exploiting SS7 for espionage.
MTN Irancell’s connectivity with Gulf carriers
MTN Irancell is not an isolated network operating behind a sanctions wall. It is a fully integrated participant in the global mobile telecommunications ecosystem, maintaining active roaming agreements with carriers across the Persian Gulf and beyond. Irancell’s own website advertises specific “Persian Gulf Hamsafar Packages” for subscribers travelling to the UAE, Oman, Saudi Arabia, Qatar, Bahrain and Kuwait. These packages offer voice, SMS and data services, and their existence confirms active, operational roaming agreements with carriers in each of those countries.
The physical infrastructure supporting these connections includes a submarine fibre-optic cable linking Iran to the UAE with access to the Fiber-Optic Link Around the Globe (FLAG) network, a dedicated Iran–Kuwait submarine communications cable, and high-frequency radio and microwave relay links to Kuwait and other regional states. Iran’s international connection services are provided through the Infrastructure Company of Iran, a subsidiary of the Telecommunication Company of Iran, which maintains satellite earth stations on thirteen platforms, including nine Intelsat and four Inmarsat stations.
Each roaming agreement requires the exchange of SS7 or Diameter signalling messages between the two operators. This means MTN Irancell holds valid Global Titles that allow it to communicate directly with the signalling infrastructure of Bahrain Telecommunications Company (Batelco), Vodafone Bahrain, Vodafone Qatar, Ooredoo Qatar, Zain Kuwait, VIVA Kuwait, Saudi Telecom Company, Mobily, Zain Saudi Arabia, Etisalat UAE, du (Emirates Integrated Telecommunications), Omantel and other Gulf carriers. These are the same carriers whose networks serve the areas surrounding every major US military installation in the region.
From signalling access to military targeting: documented precedents
The exploitation of telecommunications infrastructure for military targeting is not a theoretical risk. It is a documented Iranian capability with confirmed operational precedents.
Maritime targeting via telecom compromise
In November 2025, Amazon Web Services’ threat intelligence division published research documenting what it termed “cyber-enabled kinetic targeting”, a strategy it described as “a fundamental shift in how nation-state actors approach warfare” in which “cyber reconnaissance directly enables kinetic targeting”. The research documented how Imperial Kitten, a threat group linked to the IRGC, compromised the Automatic Identification System (AIS) platform for maritime vessels starting in December 2021, gaining access in some cases to CCTV cameras aboard ships. In January 2024, the attackers focused on a specific vessel. Five days later, Houthi forces, Iran’s Yemeni proxy, targeted that ship with a missile strike.
Amazon’s researchers described this as evidence that “cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure”. The pattern demonstrated that the IRGC uses telecommunications and digital infrastructure compromise as a precursor to kinetic strikes, providing precise targeting data that would traditionally require satellite or human intelligence assets.
CCTV exploitation for missile targeting and damage assessment
In a separate case documented by both Amazon and the Middle East Institute, MuddyWater, a cyber group linked to Iran’s Ministry of Intelligence and Security, used livestreams from compromised closed-circuit television servers in Jerusalem to provide real-time situational awareness, battle damage assessment and adjustment of missile targets during strikes against the city. The Middle East Institute’s post-conflict analysis of the June 2025 war concluded that “Iranian operatives hijacked Israeli internet-connected CCTV systems with the goal of exploiting them for real-time situational awareness, battle damage assessment, and adjustment of missile targets”, describing this as “a more sophisticated approach to tactical cyber espionage” in which “Iranian cyber units were able to extend their operational visibility deep into their adversary’s territory without deploying conventional ISR assets”.
The doctrinal shift: telecom as a weapons platform
These cases establish a clear doctrinal pattern. The IRGC and its affiliated intelligence organisations treat telecommunications infrastructure not as a passive utility but as an active intelligence collection and weapons targeting platform. The Middle East Institute described this as “the operational-tactical fusion of Iran’s cyber and kinetic domains”, noting that “the exploitation of civilian surveillance systems for real-time intelligence gathering during military operations points to a new level of battlefield integration”.
According to reliable sources in the Iranian opposition who spoke with National Security News, the IRGC is actively exploiting MTN Irancell’s signalling connections with Gulf carriers for military intelligence purposes. The IRGC has already demonstrated the capability and the doctrine with maritime AIS platforms, CCTV networks and other civilian digital infrastructure in its previous terrorist attacks.
What SS7 access to Gulf networks provides: the attack surface
An IRGC signals intelligence unit operating within, or through, MTN Irancell’s network operations centre has access to several categories of militarily significant information through standard SS7 signalling procedures.
Geolocation of military personnel
The most direct capability is the ability to locate any mobile device registered on a Gulf carrier’s network. Using standard SS7 procedures such as “Send Routing Information” (SRI) and “Provide Subscriber Information” (PSI) requests, an operator with valid SS7 access can determine which cell tower a target device is connected to. In densely built urban environments such as Manama, Doha or Abu Dhabi, this provides location accuracy to within a few hundred metres. In less dense areas around military installations, cell tower coverage may be broader but still sufficient to confirm whether a target is on base or has departed.
US military personnel stationed at Gulf bases carry personal mobile phones registered with local Gulf carriers. Their movement patterns between residential areas, military installations and off-base locations create a digital signature that is visible through SS7 signalling. An adversary conducting bulk PSI requests against phone numbers associated with areas near military installations could map the operational tempo of those bases over time, identifying surge periods, shift patterns and the locations of off-base accommodation used by military personnel.
Interception of communications
SS7 vulnerabilities allow not only location tracking but also interception of SMS messages and, in some configurations, voice calls. This is particularly significant for military personnel who may use personal devices for non-classified but operationally sensitive communications such as travel arrangements, schedule coordination, and social media activity that reveals locations, as well as SMS-based two-factor authentication for military email or administrative systems.
The 2017 German banking fraud case, in which attackers exploited SS7 to intercept SMS two-factor authentication codes and drain bank accounts, demonstrated that these vulnerabilities are not theoretical. The same technique, applied to military personnel, could compromise access to unclassified military systems, email accounts and logistics platforms.
Network traffic pattern analysis
Even without targeting individual devices, aggregate signalling traffic between Gulf carriers and their cell towers near military installations provides intelligence about base activity levels. A sudden increase in signalling traffic from towers serving a military installation may indicate heightened readiness, troop movements or the arrival of additional personnel. Conversely, a reduction in traffic may indicate deployment away from the base. This pattern analysis can be conducted passively through monitoring of signalling exchanges without sending any active queries, making it extremely difficult to detect.
The Sairan connection: where the telecom meets the missile
The structural relationship between MTN Irancell’s telecommunications capabilities and the IRGC’s weapons systems is not an inference drawn from circumstantial evidence. It is embedded in the corporate architecture of MTN Irancell’s ownership.
MTN Irancell is 51 per cent owned by the Iran Electronic Development Company (IEDC), a joint venture between two entities: Iran Electronics Industries (IEI), also known as Sairan, and the Bonyad Mostazafan (Foundation of the Oppressed). IEI is a subsidiary of the Ministry of Defence and Armed Forces Logistics (MODAFL). According to the US Treasury Department, which designated IEI in September 2008 pursuant to Executive Order 13382 for its role in the proliferation of weapons of mass destruction, IEI “offers a diversified range of military products including electro-optics and lasers, communication equipment, telecommunication security equipment, electronic warfare equipment, new and refurbished radar tubes, and missile launchers”. IEI also “manufactures military tactical communication systems” and electronic field telephones and switchboards.
IEI’s military significance extends far beyond legacy products. Iran Watch, the Wisconsin Project on Nuclear Arms Control’s tracking database, records that IEI “designs and produces communications, research and remote sensing satellites as well as ground stations” and that in 2015 it “reportedly concluded a memorandum of understanding with the BeiDou Navigation Satellite System (BDS) in China to transfer satellite navigation technology to Iran”. The German government has linked IEI to a laser gyroscope factory in Shiraz connected to Iran’s ballistic missile programme. IEI’s subsidiaries, including Electro Optic Sairan Industries Co. (SAPA), collaborate with other MODAFL entities to procure and integrate components for military applications, including unmanned aerial vehicles and missile guidance systems.
The significance of this ownership structure cannot be overstated. The same MODAFL entity that manufactures Iran’s missile guidance systems, electronic warfare equipment and satellite navigation hardware, and that has integrated Chinese BeiDou technology to make Iranian missiles resistant to US GPS jamming, is the co-owner of Iran’s largest mobile telecommunications network with active signalling connections to every major Gulf carrier. The intelligence gathered through Irancell’s telecom interconnects and the weapons systems that consume that intelligence share the same parent organisation, the same procurement networks and the same chain of command.
The Arya Hamrah data centre: built-in backdoors from inception
The integration between MTN Irancell’s telecom operations and the Iranian security apparatus was engineered from the company’s founding. Leaked records from 2008 reveal that MTN Irancell awarded a contract to manage its subscriber data centre to a consortium that included Sairan and Bonyad Mostazafan. An MTN executive testified that the Iranian side insisted on this arrangement: the foreign vendor could only operate MTN Irancell’s data centre if it partnered with those two regime-controlled entities. The result was a new company, Arya Hamrah, which was created to “camouflage” the procurement of restricted technologies and to ensure Iranian authorities had unfettered access to Irancell’s customer data. The regime built intelligence backdoors into MTN Irancell from its inception, embedding agents and systems to monitor subscribers.
This means that the subscriber data flowing through MTN Irancell’s systems, including the SS7 signalling data exchanged with Gulf roaming partners, is accessible to Sairan and, through it, to MODAFL and the IRGC. The Home Location Register that records which foreign network an Irancell subscriber is connected to, and the signalling messages exchanged with Gulf carriers to facilitate roaming, pass through infrastructure that was designed from the outset to provide the security apparatus with full access.
BeiDou, Chinese intelligence support, and the completed targeting chain
The targeting chain for Iran’s missile strikes on Gulf military installations can now be reconstructed from open-source evidence. It operates in three phases: intelligence collection, navigation integration and terminal guidance.
In the intelligence collection phase, the IRGC gathers precise location data on fixed and mobile targets through several channels, including satellite imagery provided by Chinese Yaogan and Jilin satellites, human intelligence from agents in Gulf states and, critically, signals intelligence gathered through telecommunications interconnects. Reports from the conflict zone indicate that China is transmitting satellite images and real-time electronic intelligence data to Iran, including the exact coordinates of American ships and bases.
In the navigation integration phase, the targeting data is programmed into missile and drone guidance systems that increasingly rely on China’s BeiDou satellite navigation system rather than the American GPS constellation. IEI/Sairan’s memorandum of understanding with BeiDou for satellite navigation technology transfer provides the industrial base for this integration. The shift to BeiDou makes Iranian weapons resistant to US GPS jamming and spoofing, which the US military has deployed extensively through assets such as the EC-130H Compass Call electronic warfare aircraft.
In the terminal guidance phase, the weapons are guided to their targets using a combination of inertial navigation, BeiDou satellite fixes and, in some cases, terrain-matching or electro-optical terminal guidance. The accuracy of the initial targeting data, gathered in part through the telecom signalling architecture, determines whether the weapon arrives within the terminal guidance system’s acquisition basket.
The entity that co-owns MTN Irancell sits at every node of this chain. Sairan/IEI provides the electronic warfare equipment, the satellite navigation integration, the missile guidance systems and the tactical communications infrastructure. Through its stake in Irancell and the Arya Hamrah data centre arrangement, it has access to the signalling data that feeds the intelligence collection phase. The telecom network and the weapons system are not parallel tracks within the same organisation. They are integrated components of a single weapons targeting architecture.
An IRGC veteran at the controls
Since January 2026, MTN Irancell has been led by Mohammed Hossein Soleimaniyan, a senior IRGC member and veteran of its operations both in Iran and abroad. He was installed after his predecessor, Alireza Rafiei, was dismissed for taking several hours to comply with the Supreme National Security Council’s order to shut down all communications on 8 January. The regime replaced a civilian executive with an IRGC operative to ensure immediate operational compliance.
With an IRGC commander at the helm, any previous ambiguity about whether MTN Irancell’s capabilities would be exploited for military purposes is eliminated. Soleimaniyan does not answer to MTN Group’s board in Johannesburg. He answers to the IRGC command structure, the same command structure that is ordering missile strikes on US and Israeli military installations and on civilian infrastructure and populations across the Gulf states. The network operations centre that manages Irancell’s SS7 signalling, the data centre that processes subscriber information and the roaming infrastructure that connects to Gulf carriers are all under the operational authority of an officer of the IRGC, a designated terrorist organisation.
On 28 February 2026, as Iranian missiles struck the Fifth Fleet headquarters in Bahrain, MTN Irancell’s network was simultaneously taken offline in a near-total communications blackout. NetBlocks confirmed that connectivity collapsed to approximately four per cent of normal levels. The same IRGC commander who controls the signalling infrastructure connected to Gulf carriers also controls the domestic blackout capability. The offensive intelligence collection function and the defensive information control function are unified under a single IRGC command.
Implications for MTN Group and its institutional investors
The analysis presented in this article reframes the legal and moral calculus of MTN Group’s 49 per cent stake in Irancell. The company’s standard defence, articulated repeatedly by CEO Ralph Mupita, is that MTN has “zero operational control” over MTN Irancell and that its stake is a “frozen asset” from which it cannot extract value. Even accepting this characterisation at face value, it does not address the central issue raised by this analysis: that MTN’s nearly two decades of investment, technical expertise and international legitimacy were instrumental in building the network infrastructure and establishing the international interconnect relationships that now serve as intelligence and targeting platforms for the IRGC’s missile and drone attacks on the United States and Israeli armed forces and civilian populations across the Gulf states.
Without MTN’s involvement from 2006 onwards, MTN Irancell would not have developed into a 70-million-subscriber network with a 42 per cent market share, sophisticated 4G and 5G infrastructure and comprehensive roaming agreements with carriers across the Gulf and beyond. The network’s scale, technical sophistication and international connectivity, all built with the participation of a Johannesburg-listed multinational, are precisely what make it valuable as an intelligence platform. The SS7 Global Titles, the Diameter interconnects, the submarine cable connections and the roaming agreements that provide access to Gulf carrier signalling networks exist because Irancell grew from a local venture into a world-class mobile operator under MTN’s partnership.
MTN Group is currently the subject of a US Department of Justice grand jury investigation disclosed in August 2025. It is defending litigation under the US Anti-Terrorism Act brought by the families of more than 500 American soldiers. Turkish rival Turkcell is pursuing a $4.2 billion lawsuit alleging that the Irancell licence was obtained through bribery. On 28 February 2026, Israel killed both of MTN Irancell’s ultimate controlling shareholders: Supreme Leader Ayatollah Ali Khamenei, who controlled the Bonyad Mostazafan, and Defence Minister Amir Nasirzadeh, who controlled MODAFL and, through it, Sairan/IEI.
The intelligence gathered during months of planning for Operation Epic Fury and Operation Roaring Lion will almost certainly include detailed mapping of IRGC communications and command networks, including how the IRGC utilises MTN Irancell’s infrastructure for intelligence purposes. That intelligence will be available to the Department of Justice and, through discovery processes, to the plaintiffs in the Anti-Terrorism Act litigation. The operational reality of how MTN Irancell’s signalling connections facilitate IRGC targeting of US and Israeli armed forces and civilians worldwide may soon be documented in court filings.
Questions for Gulf carriers and their regulators
This analysis also raises urgent questions for the Gulf telecommunications operators that maintain roaming agreements with MTN Irancell, and for the regulators in Bahrain, Qatar, Kuwait, Saudi Arabia and the UAE who oversee them. Those carriers have been facilitating SS7 signalling exchanges with an operator that is majority-owned by Iran’s defence ministry and a foundation controlled by the Supreme Leader, managed by an IRGC commander and deployed as a wartime blackout platform.
Their own networks, and the US military personnel, diplomats and allied forces who use them, have been exposed to a signalling-level intelligence collection threat from an adversary that has now struck their territory with missiles.
The immediate question is whether Gulf carriers have deployed SS7 firewalls capable of filtering anomalous or malicious signalling traffic from Iranian-origin networks. The GSMA, the global telecommunications industry association, estimated in 2021 that only 25 per cent of global operators had deployed signalling firewalls. Whether Bahrain’s Batelco, Qatar’s Vodafone or Kuwait’s Zain are among that 25 per cent is a matter of direct national security concern, given that Iranian missiles struck their countries on 28 February.
The broader question is whether roaming agreements with MTN Irancell should be maintained at all. A roaming agreement with an IRGC-controlled operator is not a commercial convenience. It is a standing intelligence collection channel available to a US-designated Foreign Terrorist Organisation that has just demonstrated both the capability and the willingness to strike military targets across the Gulf with precision-guided weapons.
The conventional understanding of MTN Irancell’s role in the Iranian regime’s operations has focused on domestic repression: internet shutdowns, mass surveillance, SMS-based psychological operations against protesters, and the weaponisation of communications blackouts to provide cover for mass killings. These are grave matters, extensively documented by this publication and others.
But the analysis presented here reveals a second, equally significant dimension. MTN Irancell is not only a tool of domestic repression. It is also a node in a military and terrorist targeting architecture that connects telecommunications intelligence collection to weapons guidance systems through their common ownership under MODAFL and the IRGC. The same corporate entity that owns 51 per cent of Iran’s largest mobile network manufactures missile guidance systems, integrates Chinese BeiDou satellite navigation and produces the electronic warfare equipment deployed by Iran’s armed forces. The signalling connections between MTN Irancell and Gulf carriers are not merely commercial roaming links. They are potential intelligence collection channels feeding a targeting chain that culminated on 28 February 2026 in missile strikes on US military installations across the region.
For MTN Group’s shareholders, the implication is that their company’s investment has helped construct not only a platform for censorship and repression in Iran but also a component of the intelligence infrastructure supporting missile attacks on American and Israeli forces and civilian populations in six countries. For the broader international community, the MTN Irancell case stands as one of the most consequential examples of how a foreign corporation’s investment in an authoritarian state’s telecommunications infrastructure can be weaponised in war and terrorism.
MTN has been asked to comment.