Nation-state hackers infiltrate Ribbon Communications in year-long breach

A US telecom provider has confirmed that foreign-backed hackers accessed its systems undetected for nearly a year.

What happened

Ribbon Communications, a major Texas-based telecom equipment provider, disclosed that its systems were compromised by nation-state hackers who remained active on its network from as early as December 2024 until discovery in September 2025. The breach was revealed in the company’s 10-Q filing with the U.S. Securities and Exchange Commission (SEC), made public on October 23.

While the attackers did not access core network systems or customer environments, they were able to retrieve four older customer files from laptops not directly connected to the internal network. Ribbon notified the three affected customers and launched an investigation in collaboration with federal law enforcement and external cybersecurity experts.

Going deeper

Ribbon Communications helps power global telecommunications by delivering systems that link traditional voice networks with modern internet communication platforms. Its customer base includes major telecom operators and government agencies, including Verizon, BT, Deutsche Telekom, and the U.S. Department of Defense.

The long dwell time of the attackers without detection points to highly sophisticated tactics. Experts believe this incident aligns with a broader pattern of state-aligned cyber-espionage efforts, such as the Salt Typhoon campaign, where threat actors exploit telecom infrastructure using custom backdoors like SNAPPYBEE and zero-day vulnerabilities in networking equipment.

The breach follows a recent incident involving F5 Networks, another telecom infrastructure provider, in which attackers accessed proprietary source code and vulnerability data, suggesting a growing focus on exploiting vendors to gain deep systemic access.

What was said

Ribbon stated it has not found evidence that the attackers accessed “material information” or breached customer systems. Security expert Ryan McConechy described the intrusion as “deeply concerning,” noting the year-long undetected presence. He also pointed to the stealthy tactics as consistent with advanced persistent threats, particularly those attributed to Chinese actors, though no nation was officially named.

McConechy stated the need for improved cyber-readiness among infrastructure providers and cited the UK government’s recent Cyber-Code of Practice for telecommunications firms as a model for proactive defense.

The big picture

According to a joint cybersecurity advisory, “APT actors are exploiting vulnerabilities in the large backbone routers of telecommunications providers, specifically provider edge and customer edge routers that often lack visibility and are difficult to monitor, to gain and maintain persistent access.” These campaigns, active since at least 2019, have “breached global telecommunications privacy and security norms,” said Brett Leatherman, head of the FBI’s Cyber Division.

John Hultquist, Chief Analyst at Google Threat Intelligence Group, noted that “an ecosystem of contractors, academics, and other facilitators is at the heart of Chinese cyber espionage,” indicating how operations like Salt Typhoon have become deeply embedded in global telecom networks. Dutch intelligence agencies (MIVD and AIVD) also reported related activity in Europe, confirming that smaller ISPs and hosting providers have been targeted as well. The Ribbon Communications breach fits squarely into this broader pattern of long-term infiltration and exploitation of telecom infrastructure by state-backed actors.

FAQs

Why are telecom vendors like Ribbon frequent targets for nation-state attackers?

Vendors often support both private sector and government communications, making them ideal for gathering intelligence without directly breaching more secure end-client systems.

What is a “living off the land” technique?

It refers to attackers using existing system tools and processes to remain stealthy and avoid triggering alerts making it harder to detect intrusions.

What is the Salt Typhoon campaign mentioned in relation to this breach?

Salt Typhoon is a known cyber-espionage operation involving targeted attacks on telecom providers using custom malware and backdoors to gather intelligence.

How do nation-state actors typically gain long-term access to systems?

They often exploit unpatched vulnerabilities, use phishing for credential theft, or deploy malware that can avoid detection while mapping networks and extracting data over time.