US telco confirms hackers breached systems in stealthy state-backed cyber campaign – and remained undetected for nearly a year

(Image credit: Getty Images)

State-sponsored hackers breached the systems of US telecoms services firm Ribbon Communications, and stayed undetected for nearly a year.

Ribbon supplies software, IP, and optical networking systems to telecoms service providers, businesses, and critical infrastructure organizations including BT, Verizon, CenturyLink, Deutsche Telekom, and Tata, as well as public-sector bodies such as the US Defense Department and the City of Los Angeles.

In a filing with the US Securities and Exchange Commission (SEC), the company has revealed that “unauthorized persons, reportedly associated with a nation-state actor” had gained access to its network in December 2024.

"The Company promptly initiated its incident response plan and began an investigation, containment and remediation effort using multiple third-party cybersecurity experts, including federal law enforcement," it said.

"While the investigation is ongoing, the Company believes that it has been successful in terminating the unauthorized access by the threat actor."

Ribbon Communications said there was no evidence that the threat actor had accessed or exfiltrated any “material information”, and that it doesn't believe any government customers were impacted.

However, several customer files saved outside of the main network on two laptops appeared to have been accessed. Those customers have been notified, it said.

Who's behind the Ribbon Communications attack>

While the company hasn't identified the nation it believes to be responsible, Ryan McConechy, CTO of Barrier Networks, suggested that China is the most likely culprit.

"We don't know which nation state is behind the attack, or what their MO was, but the fact that they were inside the network for as long as a year before being noticed is deeply concerning," McConechy said.

"This could also suggest the attack was executed out of China, as their attackers often rely on living off the land and stealthy techniques to stay under the radar for as long as possible, allowing them to conduct reconnaissance which can advance their objectives in the future."

He also suggested that further investigation was needed to make sure that government customers weren't impacted.

"As we have seen with Salt Typhoon, Chinese threat actors have targeted major telco providers in the past with the specific objective of eavesdropping and collecting data on high-ranking officials in government, so it must be made clear whether or not this form of spying has occurred," he said.

Jon Abbott, co-founder and CEO of ThreatAware, cautioned Ribbon's customers that they should keep a close eye on future updates from the company.

"Given how long the attackers were inside Ribbon Communications’ systems, the full extent of the compromise may change as investigations continue," he said.

"This incident highlights the need for strong visibility across assets, robust cyber hygiene, and effective user validation. Telecommunications networks are vast and complex, continually expanding with technologies such as IoT and 5G. Without full visibility, security teams struggle to detect threats quickly, giving attackers the opportunity to remain hidden for long periods."

Living off the land techniques

State-backed threat groups, particularly Salt Typhoon, have built a reputation for stealthy attacks such as these in recent years. In June 2025, it was revealed the group breached a US state’s National Guard network in an equally lengthy campaign.

According to the US Department of Defense (DoD), Salt Typhoon laid low in the compromised network for almost a year, accessing military and law enforcement data.

Revelations of the campaign came less than a year after news that the group also breached telecommunications networks to record telephone conversations of “very senior” American political figures.

These long-running campaigns, known as “living of the land attacks”, enable threat groups to essentially lay low in networks, allowing them to conduct reconnaissance and move laterally into other networks.

The problem has reached such an extent that cybersecurity agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have issued repeated warnings to critical infrastructure operators.

Indeed, last year, the NCSC, along with Five Eyes allies, issued an advisory to organisations globally, specifically pointing to state-sponsored attackers from China and Russia as key threats in this regard.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.