Ribbon Communications, a key American telecom firm that helps run the world’s major phone and data networks, has revealed a major security breach. The company confirmed that nation-state hackers, working for an unnamed foreign power, infiltrated its computer systems and remained hidden for almost a full year without detection.
The Texas-based company, which makes the technology that enables real-time communications (like allowing a standard voice call to connect with web-based systems or conference applications), made the disclosure public in its 10-Q Quarterly Report filed with the US Securities and Exchange Commission (SEC) and published on its own website on October 23.
Discovery and Damage Assessment
Ribbon discovered the unauthorised access in early September 2025, prompting an immediate investigation. Early probing revealed that the initial compromise may have occurred as far back as December 2024.
The company stated that they have found no evidence yet that the attackers gained access to any “material information” or managed to infiltrate any of their customers’ own systems. However, they did confirm that the hackers accessed four older customer files saved on two laptops outside of the main network, and the three smaller customers whose files were involved have already been notified.
A Broader Espionage Trend
Ribbon Communications is currently working with federal law enforcement and multiple outside experts to investigate the intrusion, and they believe the attackers have been successfully evicted from the network.
This exposure is particularly upsetting because Ribbon Communications serves a vast, international customer base, including telecom giants like Verizon, BT, Deutsche Telekom, and even the US Department of Defence.
This incident intensifies the threat to telco firms, given the consistently increasing trend of nation-state actors targeting them for espionage. As Hackread.com has been observing lately, this aligns with major ongoing campaigns such as the Salt Typhoon campaign, where telecom organisations globally were targeted using backdoors like SNAPPYBEE and leveraging network device vulnerabilities.
It also follows the recent state-backed attack on F5, which led to the theft of BIG-IP source code and vulnerability research. The pattern shows a clear focus on technology providers to gain deep intelligence.
The year-long breach comes as no surprise that companies like Ribbon are high-value targets for state-aligned hackers, especially since they work with both major government and critical infrastructure organisations, making them a vital point of compromise in the global supply chain
In response to the news, Ryan McConechy, CTO of Barrier Networks, shared comments with Hackread.com, emphasising the concerning stealth of the attack:
“This latest breach against a major telecommunications provider is further evidence that the online world has become the preferred playing field for all adversaries today. We don’t know which nation state is behind the attack, or what their MO was, but the fact that they were inside the network for as long as a year before being noticed is deeply concerning.
This could also suggest the attack was executed out of China, as their attackers often rely on living off the land and stealthy techniques to stay under the radar for as long as possible, allowing them to conduct reconnaissance, which can advance their objectives in the future.”
McConechy concluded by stressing the need for better preparation among critical infrastructure providers:
“As nation state threat actors focus their attention on targeting critical infrastructure and other telco firms, it is essential these organisations are prepared for these assaults. The UK government recently updated its cyber-Code of Practice for Telcos, so following the recommendations outlined there is a vital first step.”
