Major telecom supplier compromised by unnamed nation-state attackers
Summary
Ribbon Communications, a supplier of communications software and IP optical networking kit to major carriers (including Verizon, BT, Lumen/CenturyLink, Deutsche Telekom, SoftBank, TalkTalk and Tata) and government customers such as the US Department of Defense, was breached by an actor reportedly tied to a nation-state.
According to Ribbon’s SEC filing and company statements, intruders gained access to the firm’s IT network last December, remained undetected for roughly nine months, and were discovered in early September. The company says investigators believe the unauthorised access has been terminated. Investigations involve multiple third-party cybersecurity firms and federal law enforcement, and CISA has acknowledged awareness of the disclosure.
Ribbon says the attackers accessed four older files stored outside the main network on two laptops; those files belonged to three smaller customers who have been notified. The company declined to identify the attacker, citing requests from the federal agency assisting Ribbon. Ribbon also says there is currently no evidence the actor gained access to “material information.”
Key Points
- Ribbon Communications experienced a nation-state-linked intrusion first seen in December and discovered in early September.
- Attackers remained invisible on Ribbon’s network for about nine months before detection.
- Four older files on two laptops, belonging to three smaller customers, were accessed; affected customers have been notified.
- Ribbon is working with multiple third-party cyber experts, federal law enforcement and CISA; the company says unauthorised access appears to have been terminated.
- The incident involves a high-value supplier to major carriers and government bodies, making it attractive to espionage groups; observers note similarities to the China-linked “Salt Typhoon” campaign.
Context and relevance
Third-party supplier breaches are a critical vector for espionage because attackers can pivot from vendors into carrier and government customer environments. Ribbon’s customer list — which includes large telcos and the US DoD — elevates the potential impact compared with a typical corporate breach. The episode follows a string of high-profile telecom-focused campaigns (for example, Salt Typhoon) where long dwell times and lateral movement enabled widespread data theft.
For security teams and network operators, this reinforces the need for strict segmentation, robust endpoint controls, careful tracking of off-network file storage, and rapid third-party risk management and detection capabilities.
Why should I read this?
Because this is the kind of breach that can quietly ripple through entire carrier and government ecosystems. If you care about network security, supply‑chain risk or protecting sensitive comms infrastructure, the tiny details matter — who had access, where files were stored, how long the snoops lasted. We skimmed the formal filings and the key facts so you don’t have to.