Ribbon Communications Breach Marks Latest Telecom Attack

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.The US telecom company disclosed that suspected nation-state actors first gained access to its network in December of last year, though it's unclear if attackers obtained sensitive data.October 31, 2025Yet another US telecommunications firm has fallen victim to a nation-state cyberattack.In its quarterly earnings report last week, Ribbon Communications disclosed that its network had been breached and that cyberattackers had lurked in the company's environment for almost a year. The breach marks the latest in a string of attacks against US telecom firms, which have alarmed the cybersecurity community as well as government officials.Ribbon, based in Plano, Texas, specializes in communications software and IP optical networking technology for service providers and critical infrastructure organizations. The company was formed in 2017 following the merger of Sonus Networks and Genband. In its 10-Q filing with the US Securities and Exchange Commission on Oct. 23, Ribbon said it first detected the intrusion in early September and promptly initiated its incident response plan, with assistance from several third-party cybersecurity organizations and federal law enforcement. "The Company has preliminarily determined that initial access by the threat actor may have occurred as early as December 2024, with final determinations dependent on completion of the ongoing investigation," the 10-Q form stated. "As of the date of this quarterly report on Form 10-Q, we are not aware of evidence indicating that the threat actor accessed or exfiltrated any material information. Several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor and those customers have been notified by the Company."Related:SonicWall Firewall Backups Stolen by Nation-State ActorThe attackers were "reportedly associated with a nation-state actor," according to the 10-Q filing. It's unclear who made the association to nation-state actors. A Ribbon spokesperson tells Dark Reading that the company cannot disclose that information at the request of the third parties the company is working with.Ribbon also said it believes that the attackers' access has been cut off, and that the attack has not had a material impact on the company. The company provided the following statement to Dark Reading."Ribbon prides itself on our long-standing partnerships with our customers and we know that security is a paramount concern within their networks. While we do not have evidence at this time that would indicate the threat actor gained access to any material information, we continue to work with our third-party experts to confirm this," Ribbon said in the statement. "We have also taken steps to further harden our network to prevent any future incidents. Our investigation remains on-going, and we will provide any material updates as warranted."Related:Nikkei Suffers Breach Via Slack CompromiseThe attack on Ribbon follows several notable breaches of US firms, as well as telecom companies in other countries, in recent years. The most notable of these attacks were committed by Salt Typhoon, a Chinese nation-state threat group focused on cyberespionage. The attacks, which first came to light in 2024, impacted several telecom and ISP providers such as Verizon, AT&T, and Lumen. The access achieved by Salt Typhoon actors, which included the telcos' law enforcement request systems for wire-tapping and surveillance, sparked deep concern among government officials and lawmakers and led to efforts to bolster security for such companies.However, more Salt Typhoon attacks came to light this year. And nation-state threat actors aren't the only ones taking aim at telecom companies. For example, a teenager accused of being a member of the Scattered Spider cybercriminal collective was arrested last year for allegedly hacking into several companies, including two US telecom firms. According to authorities, Remington Goy Ogletree allegedly used one of the breached telecom companies to send millions of phishing texts in a wide-ranging cryptocurrency theft campaign.Related:Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy WonksA US Army soldier was also arrested last year in connection with breaches of more than a dozen telecom providers. Cameron John Wagenius, who pled guilty to several charges this summer, hacked into 15 companies and stole call logs for high-profile individuals, including President Donald Trump. While US government has taken steps to address cyber threats to the telecom sector, some of those efforts have run into obstacles. In January, the Trump administration disbanded the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB), which had been investigating the Salt Typhoon attacks. The CSRB had previously investigated a Chinese nation-state attack on Microsoft and issued a scathing report last year that said the breach was the result of "a cascade of security failures" at the technology giant.More recently, Federal Communications Commission (FCC) Chair Brendan Carr announced his agency would seek to reverse an order from the previous FCC that imposed cybersecurity requirements on telecom companies. Under the Biden administration, the FCC ruled earlier this year that such companies are legally obligated to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).However, Carr this week criticized the order, which he said "exceeded the agency's authority" and failed to effectively address current cyber threats, and said the agency would vote to overturn it next month.Rob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. 2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.