State-sponsored hackers breached the systems of US telecoms services firm Ribbon Communications, and stayed undetected for nearly a year.
Ribbon supplies software, IP, and optical networking systems to telecoms service providers, businesses, and critical infrastructure organizations including BT, Verizon, CenturyLink, Deutsche Telekom, and Tata, as well as public-sector bodies such as the US Defense Department and the City of Los Angeles.
In a filing with the US Securities and Exchange Commission (SEC), the company has revealed that “unauthorized persons, reportedly associated with a nation-state actor” had gained access to its network in December 2024.
"The Company promptly initiated its incident response plan and began an investigation, containment and remediation effort using multiple third-party cybersecurity experts, including federal law enforcement," it said.
"While the investigation is ongoing, the Company believes that it has been successful in terminating the unauthorized access by the threat actor."
Ribbon Communications said there was no evidence that the threat actor had accessed or exfiltrated any “material information”, and that it doesn't believe any government customers were impacted.
However, several customer files saved outside of the main network on two laptops appeared to have been accessed. Those customers have been notified, it said.
Who's behind the Ribbon Communications attack>
While the company hasn't identified the nation it believes to be responsible, Ryan McConechy, CTO of Barrier Networks, suggested that China is the most likely culprit.
"We don't know which nation state is behind the attack, or what their MO was, but the fact that they were inside the network for as long as a year before being noticed is deeply concerning," McConechy said.
"This could also suggest the attack was executed out of China, as their attackers often rely on living off the land and stealthy techniques to stay under the radar for as long as possible, allowing them to conduct reconnaissance which can advance their objectives in the future."
He also suggested that further investigation was needed to make sure that government customers weren't impacted.
"As we have seen with Salt Typhoon, Chinese threat actors have targeted major telco providers in the past with the specific objective of eavesdropping and collecting data on high-ranking officials in government, so it must be made clear whether or not this form of spying has occurred," he said.
Jon Abbott, co-founder and CEO of ThreatAware, cautioned Ribbon's customers that they should keep a close eye on future updates from the company.
"Given how long the attackers were inside Ribbon Communications’ systems, the full extent of the compromise may change as investigations continue," he said.
"This incident highlights the need for strong visibility across assets, robust cyber hygiene, and effective user validation. Telecommunications networks are vast and complex, continually expanding with technologies such as IoT and 5G. Without full visibility, security teams struggle to detect threats quickly, giving attackers the opportunity to remain hidden for long periods."
Living off the land techniques
State-backed threat groups, particularly Salt Typhoon, have built a reputation for stealthy attacks such as these in recent years. In June 2025, it was revealed the group breached a US state’s National Guard network in an equally lengthy campaign.
According to the US Department of Defense (DoD), Salt Typhoon laid low in the compromised network for almost a year, accessing military and law enforcement data.
Revelations of the campaign came less than a year after news that the group also breached telecommunications networks to record telephone conversations of “very senior” American political figures.
These long-running campaigns, known as “living of the land attacks”, enable threat groups to essentially lay low in networks, allowing them to conduct reconnaissance and move laterally into other networks.
The problem has reached such an extent that cybersecurity agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have issued repeated warnings to critical infrastructure operators.
Indeed, last year, the NCSC, along with Five Eyes allies, issued an advisory to organisations globally, specifically pointing to state-sponsored attackers from China and Russia as key threats in this regard.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Enterprises risk losing top talent with botched digital transformation projectsNews Digital transformation “fatigue” is becoming a real problem as enterprises look to modernize at rapid pace
-
Cohesity appoints new channel development lead for UK, Ireland, and BeneluxNews Harvey Smith will lead the data security provider’s partner strategy as it looks to help partners evolve beyond a pure tech sales model
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a realityNews DDoS attackers are flocking to AI tools and solutions to power increasingly devastating attacks
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
