Ribbon Communications Breach Exposes Nation-State Hacking Infiltration

Ribbon Communications, a leading provider of telecommunications services to both government entities in the U.S. and telecom companies globally, recently disclosed a major security breach that compromised its IT network as far back as December 2024.

Specializing in networking solutions and secure cloud communications for telecommunications companies and critical infrastructure organizations around the world, Ribbon boasts a workforce of over 3,100 individuals spread across 68 offices worldwide. Its clientele includes prominent names such as the City of Los Angeles, the Los Angeles Public Library, the University of Texas at Austin, and major telecom providers like Verizon, CenturyLink, BT, Deutsche Telekom, Softbank, and TalkTalk.

In an official filing with the U.S. Securities and Exchange Commission (SEC) on October 23, Ribbon detailed the timeline of events, revealing that the breach was only detected in September 2025, despite evidence suggesting unauthorized access as early as December 2024.

Ribbon stated, “In early September 2025, the Company became aware of unauthorized access by individuals reportedly linked to a nation-state actor to its IT network.” The ongoing investigation has led the company to believe that the breach may have originated in December 2024, with final conclusions pending the completion of the probe.

Collaborating with third-party cybersecurity experts and federal law enforcement, Ribbon is diligently investigating the breach. While no evidence of data theft has been uncovered, the hackers did manage to access files belonging to several customers, stored on two laptops separate from Ribbon’s primary network.

Despite the anticipated costs associated with the breach investigation and network fortification efforts in the fourth quarter of 2025, Ribbon does not foresee these expenses as significant. The company has refrained from attributing the cyberattack to a specific threat actor or hacking group, although similarities to previous telecom breaches linked to China’s Salt Typhoon cyber-espionage group have been noted.

Last year, CISA and the FBI confirmed the involvement of Chinese state hackers in breaches affecting multiple telecom providers globally. Companies such as AT&T, Verizon, Lumen, Consolidated Communications, Charter Communications, and Windstream were among those targeted. Comcast, Digital Realty, and Viasat also fell victim to the Salt Typhoon hacking group’s activities.

46% of environments had passwords cracked, nearly doubling from 25% last year.

Access the Picus Blue Report 2025 for a detailed analysis of prevention, detection, and data exfiltration trends.

Get the Blue Report 2025