Sign in Subscribe
News

Ribbon Communications Discovers Nine-Month Network Breach

Ribbon Communications Discovers Nine-Month Network Breach

American telecommunications company Ribbon Communications has disclosed a security breach of its IT network. The company suspects hackers working for a foreign government conducted the intrusion. The timeline raises serious concerns: the attack began in December 2024, but Ribbon didn't discover the compromise until September 2025—nine months later.

Who Ribbon Communications Serves

Ribbon develops network and communication solutions for telecommunications operators and critical infrastructure providers globally. The company's client list demonstrates its access to sensitive systems and data.

Government and public sector customers include:

  • U.S. Department of Defense
  • Los Angeles city authorities
  • Los Angeles Public Library
  • University of Texas at Austin

Major telecommunications providers also rely on Ribbon's solutions:

  • Verizon
  • BT (British Telecom)
  • Deutsche Telekom
  • Softbank
  • TalkTalk

This customer base makes Ribbon an attractive target for espionage operations. Compromising a vendor that serves major telecoms and government agencies provides potential access to multiple downstream targets through a single breach.

Discovery and Initial Response

Ribbon learned about the unauthorized access in early September 2025. The company filed a report with the U.S. Securities and Exchange Commission disclosing the incident, as required by regulations governing publicly traded companies.

According to Ribbon representatives, they quickly contained the attack after discovery and blocked the intruders' access. The company launched an investigation involving federal law enforcement agencies and external cybersecurity specialists. This multi-party investigation approach is standard for breaches affecting critical infrastructure and defense-related systems.

The Nine-Month Detection Gap

The timeline presents troubling questions. How did attackers maintain access to Ribbon's network for nine months without detection? What activities did they conduct during that period? What data did they access, copy, or modify?

Modern security operations typically include monitoring tools designed to detect unauthorized access within hours or days, not months. A nine-month dwell time—the period between initial compromise and detection—suggests either sophisticated attacker techniques that evaded security controls or inadequate monitoring on Ribbon's part.

In my opinion, this detection delay represents a significant security failure. Per standard security practices, organizations serving critical infrastructure should implement robust monitoring that identifies intrusions much faster. Nine months provides attackers with extensive opportunity to explore networks, identify valuable data, establish multiple access points, and exfiltrate information.

What the Attackers Accessed

Ribbon states that investigators found no evidence of critical data leaks. However, the company confirmed that attackers accessed files belonging to several clients. These files were stored on two laptops located outside the main network.

This detail raises additional questions. Why were client files stored on laptops outside the main network? Were these laptops properly secured? Did they follow the same security policies as systems on the corporate network?

According to Reuters sources, three small Ribbon clients were among those whose files the attackers accessed. The company hasn't publicly identified these clients or specified what information the compromised files contained.

The statement that no "critical data" leaked deserves scrutiny. Companies often define "critical" narrowly to minimize disclosure obligations and reputational damage. Data that the company doesn't consider critical might still be valuable to clients or useful to attackers.

Potential Attribution to Salt Typhoon

Ribbon hasn't named the specific hacker group responsible for this attack. However, security experts note similarities between this incident and breaches of telecommunications companies last year attributed to Salt Typhoon, a cyber-espionage group.

Salt Typhoon drew significant attention from U.S. authorities in 2024. CISA (Cybersecurity and Infrastructure Security Agency) and the FBI issued warnings about compromises affecting numerous telecommunications operators in the United States and other countries.

The list of companies Salt Typhoon targeted includes major American telecommunications providers:

  • AT&T
  • Verizon
  • Lumen (formerly CenturyLink)
  • Charter Communications
  • Windstream

These breaches demonstrated sophisticated capabilities and persistent access to telecommunications infrastructure. If Salt Typhoon or a similar group conducted the Ribbon attack, it would represent continuation of a broader campaign targeting the telecommunications supply chain.

Understanding Salt Typhoon's Operations

Salt Typhoon focuses on cyber-espionage rather than financial gain or destructive attacks. The group's objectives include:

  • Gathering intelligence on communications infrastructure
  • Accessing customer data and communications
  • Mapping network architectures for future operations
  • Establishing persistent access for long-term monitoring

These goals align with the priorities of nation-state intelligence services. Telecommunications infrastructure provides visibility into communications, user locations, network traffic patterns, and relationships between individuals and organizations.

The group's previous targeting of major U.S. telecommunications companies suggests either Chinese or Russian intelligence interests, though definitive attribution requires evidence that security researchers often cannot publicly share.

The Supply Chain Attack Vector

Targeting Ribbon represents a supply chain attack approach. Rather than directly compromising every telecommunications company of interest, attackers can breach a vendor that serves multiple operators. This provides broader access through a single compromise.

Supply chain attacks have become increasingly common. High-profile examples include:

  • The SolarWinds compromise, where attackers inserted malicious code into software updates distributed to thousands of organizations
  • The Kaseya ransomware attack, which leveraged remote management software to compromise managed service providers and their clients
  • Various attacks on managed security service providers to access their customers' networks

Ribbon's role as a vendor to major telecommunications companies and government agencies makes it a valuable supply chain target. The attackers may have sought:

  • Technical details about telecommunications infrastructure
  • Customer lists and contact information
  • Contract details revealing network architectures and security controls
  • Credentials that could enable access to client systems
  • Intelligence about upcoming technology deployments

The Broader Telecommunications Threat Landscape

The telecommunications sector faces persistent targeting from sophisticated threat actors. Several factors make this industry particularly attractive to espionage operations:

Access to Communications: Telecommunications companies handle voice calls, text messages, and data traffic for millions of users. Compromising these systems provides visibility into communications that might otherwise require individual device compromises.

Metadata Collection: Even encrypted communications reveal metadata—who communicates with whom, when, how often, and from what locations. This information supports intelligence analysis about networks and relationships.

Critical Infrastructure Role: Telecommunications infrastructure supports emergency services, government operations, financial systems, and countless other critical functions. Access to these networks enables both intelligence gathering and potential disruption.

Customer Data: Telecommunications companies maintain detailed customer information including identities, addresses, payment details, and usage patterns.

Network Visibility: Providers can see traffic patterns, routing information, and technical details about network architecture that support both current intelligence needs and planning for future operations.

Implications for Ribbon's Clients

Organizations that rely on Ribbon's solutions should take several actions:

Incident Assessment: Contact Ribbon to determine whether your organization's data was among the files accessed. Don't accept vague assurances—request specific details about what information the attackers might have obtained.

Security Review: Evaluate systems and networks where Ribbon products are deployed. Look for indicators of compromise that might suggest attackers used access to Ribbon's network as a stepping stone to client environments.

Credential Changes: If Ribbon had any credentials or access tokens for your systems, change them immediately. Assume attackers obtained any authentication materials stored on Ribbon's network.

Contract Review: Examine contracts with Ribbon regarding security requirements, data handling, and breach notification obligations. Determine whether the nine-month detection delay violated any contractual terms.

Vendor Security Assessment: Use this incident as a prompt to review security practices across all vendors with access to sensitive systems or data. Request evidence of monitoring capabilities, incident response plans, and security audits.

Alternative Vendors: Consider whether Ribbon's security posture justifies continuing the relationship. A nine-month detection gap indicates serious security program deficiencies.

For the Telecommunications Industry

This breach adds to mounting evidence that telecommunications infrastructure faces sustained, sophisticated targeting. Several recommendations emerge:

Enhanced Vendor Risk Management: Implement rigorous security requirements for all vendors with access to telecommunications infrastructure or customer data. Require evidence of effective security controls, not just compliance checkboxes.

Supply Chain Monitoring: Deploy detection capabilities that identify suspicious activity originating from vendor connections. Many breaches involve attackers pivoting from compromised vendors into client networks.

Segmentation: Limit vendor access to only systems and data necessary for their specific services. Excessive access increases the impact of vendor compromises.

Continuous Validation: Regularly test vendors' security through assessments, audits, and exercises. Security programs decay over time without active maintenance and validation.

Information Sharing: Participate in information sharing communities like the Communications ISAC (Information Sharing and Analysis Center). Early warning about threats affecting the sector helps organizations prepare defenses.

Regulatory and Policy Questions

This incident raises questions about security requirements for telecommunications vendors. Current regulations focus primarily on telecommunications operators themselves, not the vendors that serve them.

Should vendors with access to critical telecommunications infrastructure face mandatory security requirements? Should regulators require specific detection capabilities that would prevent nine-month dwell times? Should vendors face penalties for security failures that endanger client data?

These questions become more urgent as nation-state threat actors continue targeting telecommunications supply chains. The current regulatory approach may inadequately address risks created by vendor compromises.

The Attribution Challenge

Security researchers note similarities between this attack and Salt Typhoon's previous operations, but definitive attribution requires evidence that may not be available publicly. Attribution challenges include:

Shared Techniques: Different threat groups often use similar tools and methods, making technical attribution difficult.

False Flags: Sophisticated attackers sometimes deliberately plant indicators suggesting a different threat actor conducted the operation.

Limited Visibility: Organizations typically see only their own network compromise, not the broader campaign context that would support attribution.

Classification Concerns: Government agencies may possess attribution evidence but cannot share it publicly without compromising intelligence sources or methods.

Even without definitive attribution, the pattern of telecommunications targeting suggests organized, well-resourced operations consistent with nation-state intelligence activities.

Lessons From This Incident

Several key takeaways emerge:

Detection Capabilities Matter: Nine months represents an unacceptable dwell time for any organization, particularly one serving critical infrastructure. Investment in security monitoring pays dividends by reducing the window attackers have to accomplish their objectives.

Supply Chain Security Requires Attention: Organizations must extend security requirements beyond their own perimeters to vendors with access to sensitive systems or data.

Transparency Builds Trust: Ribbon's disclosure, while legally required, provides clients and partners with information needed to assess their own risk. Companies that hide or minimize breaches damage their credibility more than honest disclosure does.

Telecommunications Targeting Continues: The pattern of attacks on telecommunications infrastructure shows no signs of decreasing. Organizations in this sector should assume they face sophisticated, persistent threats.

Vendor Security Varies: Not all vendors maintain equivalent security programs. Organizations should assess vendors based on their actual security capabilities, not their marketing claims or compliance certifications.

Looking Forward

Telecommunications infrastructure will continue attracting nation-state threat actors seeking intelligence access. Vendors serving this sector must recognize they operate in a high-threat environment and implement security programs appropriate to that risk level.

Ribbon's nine-month detection gap suggests the company's security program was inadequate for the threats it faces and the sensitive clients it serves. Whether the company can rebuild client trust depends on how it responds—not just to this specific incident, but through sustained investment in security capabilities that prevent future compromises and detect intrusions much faster.

For the broader telecommunications sector, this incident reinforces the need for robust vendor risk management, enhanced detection capabilities, and information sharing about threats targeting the industry. As attacks on telecommunications infrastructure persist, organizations must treat vendor security as seriously as their own internal security programs.

The next telecommunications breach is likely already underway. The question is whether organizations will detect it in days rather than months, and whether they've implemented security controls that limit attackers' access to only what they need for legitimate business purposes. Ribbon's experience demonstrates the costs of inadequate security—nine months of undetected access, client data exposure, regulatory scrutiny, and reputational damage that may take years to repair.

Read next