Nation-state attackers have infiltrated Ribbon Communications, one of the telecom industry’s leading providers of cloud services, communications software, and network solutions – including for clients such as BT, Verizon, Deutsche Telekom, Tata, and more.
What’s more, it appears the unnamed state-sponsored hackers may have been inside Ribbon's systems for almost a year.
The real-time communications technology company provides secure cloud communications and IP and optical networking solutions to enterprises and critical infrastructure sectors globally, according to the Ribbon Communications website.
Based in Texas, dozens of major companies use Ribbon Communications from telecoms to banking to government – including the US Department of Defense – making a nation-state attack much more unnerving, although the report lists only "three affected customers."
The breach was first reported in the company’s 10-Q third-quarter financial performance report filed with the US Securities and Exchange Commission on October 23rd.
“In early September 2025, the Company became aware that unauthorized persons, reportedly associated with a nation-state actor, had gained access to the Company’s IT network,” Ribbon Communications said in a “Cybersecurity Incident Disclosure” on page 57 of the 58-page 10-Q report.
“The Company has preliminarily determined that initial access by the threat actor may have occurred as early as December 2024,“ the report stated, adding that the date of initial unauthorized access would be ultimately determined when the ongoing investigation is completed.
Ryan McConechy, CTO of Barrier Networks, says, "This latest breach against a major telecommunications provider is further evidence that the online world has become the preferred playing field for all adversaries today.”
“We don't know which nation state is behind the attack, or what their MO was, but the fact that they were inside the network for as long as a year before being noticed is deeply concerning,” McConechy points out.
"This could also suggest the attack was executed out of China, as their attackers often rely on living off the land and stealthy techniques to stay under the radar for as long as possible, allowing them to conduct reconnaissance which can advance their objectives in the future," McConechy explains.
A Ribbon spokesperson told Reuters there is no evidence to date that the incident would give hackers access to customer systems and the company was not aware of any government customers being impacted.
Dozens of major companies use Ribbon services
Ribbon products enable users to transform fixed, mobile, and enterprise networks from legacy environments to secure IP and cloud-based architectures, according to HG Insights.
The following Telecom service providers, many located in the US, use Ribbon Communications to support their infrastructure, including Verizon, AT&T, Comcast, BT, CenturyLink, Deutsche Telekom, Softbank, TalkTalk, and Tata.
The US Department of Defense, the City of Los Angeles, and the University of Texas are listed as customers, as well as the Bank of America, JPMorgan Chase, and Wells Fargo.
Leading technology partners include Palo Alto Networks, HPE, Intel, Ericsson, Fortinet, Cellusys, and F5 Networks, an applications security company which reported its own nation-state breach earlier this month, believed to be China-linked.
McConechy says even though Ribbon has stated it doesn't believe any government customers were impacted, this needs to be verified fully.
“As we have seen with Salt Typhoon, Chinese threat actors have targeted major telco providers in the past with the specific objective of eavesdropping and collecting data on high-ranking officials in government, so it must be made clear whether or not this form of spying has occurred,” the CTO says.
"As nation-state threat actors focus their attention on targeting critical infrastructure and other telco firms, it is essential these organizations are prepared for these assaults. The UK government recently updated its Cyber-Code of Practice for Telcos, so following the outlined recommendations is a vital first step," McConechy adds.
Some Ribbon customer files accessed
In a statement sent to Cybernews, the company “prides itself on its long-standing partnerships with customers, and we know that security is a paramount concern within their networks.”
Ribbon Communications said upon learning of the intrusion, it “promptly initiated its incident response plan, contacted federal law enforcement, and began working with multiple third-party cybersecurity experts to investigate.”
Ribbon also believes the threat actors were successfully kicked out of its networks, and says that “at this point in the investigation, we have found no evidence that the attackers accessed customer systems or any other material company information.”
Still, the company noted that “several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor."
However, it did not name which customers were impacted, only that they had already been notified. Reuters reported that "four older files" were accessed.
Ribbon additionally said it has taken immediate preventative steps and further hardened its network to prevent any future incidents. “We sincerely regret any concern this may cause and have been in direct contact with the three affected customers,” the statement said.
The Chinese embassy in Washington told Reuters it was not familiar with this situation and that "China opposes hacking and combats it in accordance with the law," also calling the US "the world's No. 1 hacking state."
Your email address will not be published. Required fields are markedmarked