Major telecom services provider Ribbon breached by state hackers

Picus Blue Report 2025

Ribbon Communications, a provider of telecommunications services to the U.S. government and telecom companies worldwide, revealed that nation-state hackers breached its IT network as early as December 2024.

Ribbon provides networking solutions and secure cloud communications services to telecommunications companies and critical infrastructure organizations worldwide.

The company has over 3,100 employees in 68 global offices, and its list of customers includes the City of Los Angeles, the Los Angeles Public Library, the University of Texas at Austin, government customers (such as the U.S. Department of Defense), and telecom providers like Verizon, CenturyLink, BT, Deutsche Telekom, Softbank, and TalkTalk.

As disclosed in a filing with the U.S. Securities and Exchange Commission (SEC) on October 23, Ribbon detected the breach in September 2025; however, evidence discovered so far indicates that the attackers first gained access to its systems in December 2024.

“In early September 2025, the Company became aware that unauthorized persons, reportedly associated with a nation-state actor, had gained access to the Company’s IT network,” Ribbon said.

“While the investigation is ongoing, the Company believes that it has been successful in terminating the unauthorized access by the threat actor. The Company has preliminarily determined that initial access by the threat actor may have occurred as early as December 2024, with final determinations dependent on completion of the ongoing investigation.”

Ribbon is now working with third-party cybersecurity experts and federal law enforcement to investigate the breach and said that it has yet to find evidence that the threat attackers accessed or stole “any material information.”

However, the company found that the attackers had gained access to files belonging to several customers, stored on two laptops outside of Ribbon’s main network.

Although Ribbon expects to incur additional costs in the fourth quarter of 2025 related to the breach investigation and its network strengthening efforts, it does not currently anticipate these costs to be material.

While Ribbon has yet to attribute the cyberattack to a specific threat actor or hacking group, the breach bears resemblance to a series of widespread telecom breaches from last year that were linked to China’s Salt Typhoon cyber-espionage group.

At the time, CISA and the FBI confirmed that the Chinese state hackers had breached multiple telecom providers (including AT&T, Verizon, Lumen, Consolidated Communications, Charter Communications, and Windstream), as well as other telecom firms in dozens of different countries.

Comcast and Digital Realty were also flagged in June as potentially compromised by the Salt Typhoon hacking group, with satellite communications company Viasat revealing weeks later that it had also been hacked as part of the same campaign.


Picus Blue Report 2025

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.