COMMENTARY: Telecommunication networks are built to keep going. Core services are monitored continuously, traffic gets rerouted automatically, and reliability governs day‑to‑day decisions. These systems are designed to absorb constant change without drawing attention to themselves.Over the past few years, the most serious campaigns against telecoms have used that resilience to their advantage. They’ve gone after infrastructure layers (network devices, management planes, virtualization stacks) and then stayed there quietly, often for months or longer. That’s the through‑line in public reporting on Salt Typhoon, which authorities continue to describe as still active even after it touched operators across more than 80 countries. [SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]A similar pattern appears in UNC3886, an advanced threat actor that has specialized in attacking edge devices and virtualized environments. Singapore’s response took about 11 months because pulling systems offline to rebuild or conduct full forensic teardown wasn’t on the table. Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel‑level stealth, and long dwell in Linux‑based environments common to telcos.What these cases share isn’t a particular technique so much as a detection problem. The most consequential intrusions live inside normal network operations, quietly collecting signaling, routing, configuration, topology and mobility data that underpin enterprise, government and cross‑border communications. The challenge: learn how to see that embedded presence early, before time turns it into leverage.
Why visibility lags
Configuration updates in telecom networks propagate across regions, administrative access spans time zones, and systems are tuned and patched while traffic flows. In that environment, the management surfaces operators rely on to keep networks healthy are the same places long‑dwell actors prefer to sit, because their actions remain plausible for extended periods.This challenge gets amplified by scale and layering. Telecom providers aren’t defending a single system, but thousands of interconnected network functions, management systems and compute environments deployed across multiple data centers and regions. Persistence can hide across layers, where individual systems behave as expected while the environment as a whole quietly gets traversed. Regulators are also expecting early actions, before anything visibly breaks. In Singapore, critical infrastructure providers are now required to report suspected advanced persistent threat (APT) activity to prevent quiet intrusions having national impact. Guidance from U.S. agencies and requirements under Europe’s NIS2 Directive similarly emphasize earlier reporting and deeper visibility into management and configuration activity, even when services remain stable.Built for telecom
Against that backdrop, three factors distinguish telecom visibility from generic monitoring:- Placement: Decisions and telemetry need to originate inside the network elements where services run, with visibility into the surrounding management and control-plane traffic, so teams can interpret behavior in its full operational context. Salt Typhoon made clear how infrastructure‑level footholds turn into long‑term adversary presence when this isn’t in place.
- Context: Activity in the system gets interpreted against maintenance windows, regional rhythms, interconnect behavior, intercept workflows, and expected sequences, so individually valid actions are flagged when the sequence, actor or timing goes sideways. Singapore’s months‑long cleanup showed how exact and context‑aware eviction has to be when the country keeps making calls.
- Control at the point of action: Access, change and control operations need real-time visibility and evaluation as they occur, because that’s where persistence forms. Once decisioning shifts to periodic or off‑band checks, implants like BPFDoor gain the space they need to persist.
