Rob Wright, Senior News Director, Dark Reading

October 31, 2025

4 Min Read

Source: Kristoffer Tripplaar via Alamy Stock Photo

Yet another US telecommunications firm has fallen victim to a nation-state cyberattack.

In its quarterly earnings report last week, Ribbon Communications disclosed that its network had been breached and that cyberattackers had lurked in the company’s environment for almost a year. The breach marks the latest in a string of attacks against US telecom firms, which have alarmed the cybersecurity community as well as government officials.

Ribbon, based in Plano, Texas, specializes in communications software and IP optical networking technology for service providers and critical infrastructure organizations. The company was formed in 2017 following the merger of Sonus Networks and Genband.

Nation-State Hackers Take Aim at Telcos Again

In its 10-Q filing with the US Securities and Exchange Commission on Oct. 23, Ribbon said it first detected the intrusion in early September and promptly initiated its incident response plan, with assistance from several third-party cybersecurity organizations and federal law enforcement.

“The Company has preliminarily determined that initial access by the threat actor may have occurred as early as December 2024, with final determinations dependent on completion of the ongoing investigation,” the 10-Q form stated. “As of the date of this quarterly report on Form 10-Q, we are not aware of evidence indicating that the threat actor accessed or exfiltrated any material information. Several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor and those customers have been notified by the Company.”

Related:Dentsu Subsidiary Breached, Employee Data Stolen

The attackers were “reportedly associated with a nation-state actor,” according to the 10-Q filing. It’s unclear who made the association to nation-state actors. A Ribbon spokesperson tells Dark Reading that the company cannot disclose that information at the request of the third parties the company is working with.

Ribbon also said it believes that the attackers’ access has been cut off, and that the attack has not had a material impact on the company.

The company provided the following statement to Dark Reading.

“Ribbon prides itself on our long-standing partnerships with our customers and we know that security is a paramount concern within their networks. While we do not have evidence at this time that would indicate the threat actor gained access to any material information, we continue to work with our third-party experts to confirm this,” Ribbon said in the statement. “We have also taken steps to further harden our network to prevent any future incidents. Our investigation remains on-going, and we will provide any material updates as warranted.”

Related:Cybersecurity Firms See Surge in AI-Powered Attacks Across Africa

One Data Breach After Another for Telecom Sector

The attack on Ribbon follows several notable breaches of US firms, as well as telecom companies in other countries, in recent years. The most notable of these attacks were committed by Salt Typhoon, a Chinese nation-state threat group focused on cyberespionage.

The attacks, which first came to light in 2024, impacted several telecom and ISP providers such as Verizon, AT&T, and Lumen. The access achieved by Salt Typhoon actors, which included the telcos’ law enforcement request systems for wire-tapping and surveillance, sparked deep concern among government officials and lawmakers and led to efforts to bolster security for such companies.

However, more Salt Typhoon attacks came to light this year. And nation-state threat actors aren’t the only ones taking aim at telecom companies.

For example, a teenager accused of being a member of the Scattered Spider cybercriminal collective was arrested last year for allegedly hacking into several companies, including two US telecom firms. According to authorities, Remington Goy Ogletree allegedly used one of the breached telecom companies to send millions of phishing texts in a wide-ranging cryptocurrency theft campaign.

Related:YouTube Ghost Network Utilizes Spooky Tactics to Target Users

A US Army soldier was also arrested last year in connection with breaches of more than a dozen telecom providers. Cameron John Wagenius, who pled guilty to several charges this summer, hacked into 15 companies and stole call logs for high-profile individuals, including President Donald Trump.

While US government has taken steps to address cyber threats to the telecom sector, some of those efforts have run into obstacles. In January, the Trump administration disbanded the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Safety Review Board (CSRB), which had been investigating the Salt Typhoon attacks. The CSRB had previously investigated a Chinese nation-state attack on Microsoft and issued a scathing report last year that said the breach was the result of “a cascade of security failures” at the technology giant.

More recently, Federal Communications Commission (FCC) Chair Brendan Carr announced his agency would seek to reverse an order from the previous FCC that imposed cybersecurity requirements on telecom companies. Under the Biden administration, the FCC ruled earlier this year that such companies are legally obligated to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).

However, Carr this week criticized the order, which he said “exceeded the agency’s authority” and failed to effectively address current cyber threats, and said the agency would vote to overturn it next month.

About the Author

Senior News Director, Dark Reading

Rob Wright is a longtime reporter and senior news director for Informa TechTarget’s security team. He is based in the Boston area.