Telecommunications provider Ribbon Communications, which supplies secure cloud and networking solutions to a vast array of global customers including the U.S. Department of Defense, the City of Los Angeles, and major carriers like Verizon and Deutsche Telekom, has been compromised by a suspected nation-state actor. In a filing with the U.S. Securities and Exchange Commission (SEC) on October 23, the company revealed it first detected the security breach in early September 2025. However, the initial access by the sophisticated threat actor is believed to have occurred as far back as December 2024, allowing the intruders nearly a year of undetected presence within the network.
Ribbon confirmed that upon discovery, it immediately launched its incident response plan, engaging third-party cybersecurity experts and cooperating with federal law enforcement to contain and investigate the incident. The company stated that it believes it was successful in terminating the unauthorized access. While the investigation is ongoing to fully determine the scope, the company has stated that it has not yet found evidence that the attackers accessed or stole any “material information” from its main network or its customers’ systems, though a final determination is pending.
Despite the limited evidence of large-scale theft, Ribbon did confirm that the hackers gained access to files belonging to multiple customers. These files were specifically located outside of the company’s main network on two separate laptops. The company has since informed the impacted customers, which Reuters reported included at least three “smaller customers.” Ribbon anticipates incurring additional costs during the fourth quarter of 2025 related to the investigation and efforts to strengthen its network, though they do not expect these costs to be financially material to the company.
Although Ribbon Communications has not publicly named a specific perpetrator, the nature of the attack bears a strong resemblance to the widespread telecom breaches that were previously attributed to Salt Typhoon, a Chinese cyber-espionage group. This group has a history of targeting multiple telecom and critical infrastructure organizations, with past victims including AT&T, Verizon, and the satellite communications company Viasat. The ability of the attackers to maintain a long-term, stealthy presence within a critical network like Ribbon’s aligns with the advanced tactics utilized by this and other nation-state groups.
The breach at Ribbon Communications highlights a continued and concerning pattern of state-sponsored espionage targeting the foundational infrastructure of global communications. As a critical link in the supply chain for governments and global telecom giants, a compromise of Ribbon’s systems poses a significant potential risk to the integrity and security of the wider communications ecosystem. The company continues to work with experts to fully understand the impact and prevent similar sophisticated intrusions in the future.
Reference:
