Nation-State Hackers Continue to Plague Telecoms as Ribbon Security Breach Causes Alarm

A new security breach at a major US telecom contractor, also widely used by international firms and the software industry, appears to have resulted in limited damage but is serving as yet another reminder of the activity level and capability of nation-state hackers.

The breach victim in this case is Ribbon Communications, a widely-used communications equipment provider that counts Verizon and Deutsche Telekom among its clients (as well as US government agencies). Ribbon says that only three “smaller clients” suffered exposure as a result of the security breach, but that the attackers made landfall in their network in December 2024 and were not detected until September 2025.

Unspecified nation-state hackers to blame for Ribbon Communications breach

The Ribbon breach came to light by way of the company’s most recent quarterly filing, which was unsurprisingly limited in detail to pretty much what is legally required. The company did mention that suspected “nation-state hackers” were to blame, but has declined to name the nation thus far.

Of course, when you mention long and stealthy breaches of telecoms, one particular candidate naturally comes directly to mind. There is no solid word that China’s “Typhoon” nation-state hackers are involved as of yet, but the security breach fits their usual profile to a “T.” Groups like Salt and Silk Typhoon have centrally focused on major espionage breaches of all the major US telecoms over the last two years as well as international firms and government targets.

China has typically refused to take any responsibility for these security breaches, despite attribution by various nations and independent security experts; the Chinese embassy in the US also denied involvement with the Ribbon breach, and the country has gone on something of a media offensive as of late with counter-accusations of NSA hacking of its own government agencies such as the National Time Service Center.

Security breaches by APT groups gradually becoming everyone’s problem

Nevertheless, the quiet entry and very long breach window without detection does definitely point to nation-state hackers. And very few other than China have the technical capability and make sense as suspects.

The list of Ribbon clients certainly raises serious concerns about the security breach, when one sees not just Verizon present but also the U.S. Defense Department, Softbank and City of Los Angeles among others. But, though the company says the investigation is ongoing, it presently has found that only these three unspecified “smaller clients” were impacted and that file exposure was limited to “older files” on two client laptops that were outside their networks.

Still, one must ask why the nation-state hackers were lurking for nearly a year if that was all they were able to obtain access to. They may have been waiting for an opportunity at the higher-value targets, and it raises further questions about how many other similar compromises are currently going undetected around the world. For its part, Ribbon says that it has taken measures to harden its security against future intrusions and brought in third-party forensic assistance. Clients should probably assume at least potential exposure given that the investigation remains open and take reasonable precautions.