Another security breach involving US telecom companies has come to light, with a third-party contractor that interfaces between some of the industry’s big names reporting discovery of unauthorized access to their systems by nation-state hackers that began in late 2024 and continued through much of 2025.
It is important to note that the impacted contractor, Ribbon Communications, is only reporting that three of its “smaller customers” were subsequently breached and that the known access was limited to several “older” customer files saved outside of the network on two laptops. But concerns are high given the involvement of nation-state hackers and the fact that Ribbon also works with the telecom industry’s major service providers.
Security breach comes during string of telecom attacks attributed to China
Ribbon did not specify from where the nation-state hackers came, but anything involving telecoms will naturally shift suspicion to China’s advanced persistent threat (APT) groups. Groups like Salt Typhoon have now spent much of the last two years racking up repeated and extended security breaches of major carriers such as T-Mobile, Verizon and AT&T. The long dwell time also fits the MO of these groups, with Ribbon reporting first intrusion in December 2024 and a breach window that lasted until only very recently.
Ribbon is based in Texas and provides software and service solutions for voice and data connection between assorted tech platforms and environments. The company has not disclosed which of its clients were impacted by the security breach, and says that its investigation is ongoing and that it is continuing to work with third-party experts. At the moment it says that there is no evidence that government clients were breached or that the hackers had access to any additional customer systems. Ribbon lists Verizon and Softbank among its customers, as well as the U.S. Defense Department and the City of Los Angeles, but it is very unlikely any of these would qualify as its “smaller clients.”
The security breach was revealed due to mandatory filing requirements in the company’s most recent quarterly report, which indicates it did not discover the hackers until September 2025. The report and follow-up information available thus far lack sufficient detail to determine exactly what the nation-state hackers were doing in the company network for such a long period of time, if they were not able to access the “bigger fish” among Ribbon’s client list.
Nation-state hackers continue to flex their capability amidst geopolitical tensions
Though there is as of yet no link to Salt Typhoon, or any other Chinese nation-state hackers, it is hard not to think of the group after its quiet rampage through the US telecoms since 2023. That campaign included all three of the big US mobile phone service providers, but was not limited to them; the hackers were also implicated in security breaches of cybersecurity firm F5, from whom they stole source code for the widely used BIG-IP product line, satellite internet provider ViaSat, and an Army National Guard network used for communication between units in different states.
For its part, China denies (as it always does) that it has any involvement with the nation-state hackers. But these appraisals come not just from the likes of FBI and CISA, but also from numerous independent security researchers. The Chinese nation-state hackers have also been spotted in a number of other countries during their espionage campaigns, with those governments also attributing attacks to them.
The news also comes as China and the US wrapped up a trade meeting that led to a new preliminary agreement, in what was the first face-to-face meeting by presidents of the two nations since the prior Trump term. Though national security came up in the form of a new commitment by China to clamp down on exports of fentanyl precursor chemicals, something that in part got it a 10% tariff reduction, cybersecurity and espionage does not appear to have been discussed much if at all in this round of talks.
Several days prior to the meeting, China’s Ministry of State Security (MSS) took to popular social media app WeChat to accuse the US National Security Agency (NSA) of hacking its National Time Service Center repeatedly between 2022 and 2024. It claimed that one of these attacks, running from about mid-2023 to mid-2024, was an attempt to disable the timing system (relied on by assorted government agencies and critical infrastructure companies) that was ultimately thwarted by Beijing’s cybersecurity teams. It also accused the US of “coercing” other countries to “hype up” security breaches widely attributed to its nation-state hackers, and called the US the “greatest source of chaos in cyberspace.”
Ribbon has indicated that it has hardened its network security in response to the incident. Damon Small, Board of Directors at Xcape, notes some of the possible consequences of the nation-state hackers continuing to exploit this security breach: “The main concern is the possible exposure of network architectural data and communication routing information that may be used for future, more disruptive attacks on US vital infrastructure, even though the business claimed that only a few “older files” on two computers were read. When your backbone vendor gets burned, the fire can travel. Assume exposure, verify trust, and monitor every path out.”

