Telecom provider Ribbon Communications reports nation-state hack

A supply chain attack credited to an unspecified nation-state actor on telecom backbone provider Ribbon Communications has security pros comparing the incident to the 2021 Colonial Pipeline attack where threat actors targeted the supply chain of the oil and gas industry.

In an Oct. 23 filing with the Securities and Exchange Commission, Ribbon Communications reported that the company became aware of the cybersecurity incident in early September 2025.

While Ribbon Communications said in the filing it believes it has terminated the unauthorized access by the threat actor; it said initial access by the threat actor may have been as early as December 2024.

“Several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor and those customers have been notified by the company,” said Ribbon Communications in the filing.

Ribbon Communications serves a wide range of clients, including major telecommunication companies such as Verizon, BT, Deutsche Telekom, and CenturyLink, as well as the U.S. Department of Defense and large U.S. cities like Los Angeles.

“The cyberattack on Ribbon Communications, particularly when viewed alongside the recent F5 breach, is suggestive of state-sponsored cyber espionage originating from China, targeting the critical infrastructure supply chain,” said Ted Miracco, chief executive officer at Approov.

Miracco added that while we don’t know that much yet about the exploit involved in the Ribbon Communications attack, both Ribbon Communications and F5 explicitly attributed the attacks to a nation-state threat actor. In the case of network security vendor F5, Miracco said external reports explicitly pointed to China-linked groups. In the Ribbon Communications case, Miracco said the general "attack profile" points to China, which has a history of sophisticated cyber campaigns targeting global telecommunications. 

“Both attacks featured an exceptionally long period of unauthorized access, this long dwell time is a hallmark of sophisticated cyber espionage campaigns aimed at silent data exfiltration and maintaining a persistent, strategic presence,” said Miracco. “I wouldn't be surprised to see more of these uncovered in the next three to six months, and it's possible they will all trace back to the same root vulnerability.”

John Carberry, solutions sleuth, Xcape, Inc., added that the recent compromise of Ribbon Communications allegedly by a nation-state actor, mirrors the strategic vulnerability exposed by the Colonial Pipeline attack. Carberry said attackers are increasingly focusing on critical supply chain vendors to gain broad access to essential infrastructure.

“Ribbon's significant integration with major U.S. telecom carriers, government entities like the Department of Defense, and leading financial institutions makes the extended period of undetected activity, starting in December 2024, especially concerning,” said Carberry. “This pattern is consistent with known Chinese espionage campaigns, such as Salt Typhoon, which prioritize long-term presence within telecom networks to gather strategic intelligence.”

Carberry said although Ribbon claims minimal customer data was accessed, the real risk lies in the possible theft of network blueprints and operational data, which could enable future, more damaging attacks on the entire U.S. communications network.

Mark Townsend, chief technology officer at AcceleTrex, pointed out that while it's not yet publicly known if Ribbon was actively using Erlang/OTP, it’s likely they are. Major telecoms use Erlang/OTP to build enterprise applications.

Townsend said in looking at Ribbon's past, companies they acquired have long-documented histories of using Erlang for their call-processing products and network switches. Townsend pointed to Nortel elements that were acquired by Genband, which was then merged with Sonus to create Ribbon in 2017.

“Hackers have a long history of building profiles on their targets and likely used Erlang vulnerabilities to break in, but this is speculative and I'm sure we'll hear more as certain details emerge over time,” said Townsend.