Silent APT threats: Rethinking telecom infrastructure security

A new phase of cyber conflict is emerging—one that does not involve loud attacks or immediate destruction, but quiet infiltration and long-term presence. Across continents, telecom operators are being targeted by advanced persistent threat (APT) groups aligned with state interests. These are not random hacks driven by financial motives, but part of broader strategic efforts to silently embed within critical communications infrastructure, especially in telecommunications.

Rather than deploying easily detectable malware, many of these operations employ techniques that utilise legitimate system tools and processes to maintain control without raising suspicion. This approach, often referred to as “Living off the Land” (LOTL), enables attackers to blend in with normal operations, evade detection, and remain undetected within systems for years. In some cases, there is no obvious breach indicator—no unfamiliar files, no malicious processes—just an adversary who has become part of the system.

BPFDoor and the Case of SK Telecom

One recent case that has drawn attention is the intrusion at South Korea’s largest mobile network operator, SK Telecom (SKT). According to official investigations, SKT was compromised by a Linux-targeting malware known as BPFDoor, believed to be linked to China-aligned threat actors. The malware is notable not only for its technical design but for its apparent ability to remain hidden for extended periods, possibly infiltrating SKT’s systems as early as 2021. While SKT itself is not the centre of global concern, the case is a concrete example of how APT actors operate: not to make headlines, but to establish quiet, persistent access.

BPFDoor specifically targets Linux-based systems, which form a significant part of the core telecom infrastructure. It exploits the Berkeley Packet Filter (BPF) mechanism to monitor traffic at the network layer, silently listening for carefully crafted packets that trigger remote access capabilities. By avoiding conventional ports and using packet-level triggers, it evades most traditional firewalls and monitoring systems. It is one of the few such backdoors that leave traces, placing persistent binaries and configuration files, but still manages to escape detection through its minimalist approach.

In a post-malware era, attackers no longer need to plant code—they utilise what is already in the system, thereby becoming indistinguishable from legitimate users.

However, many APT campaigns now go even further in their stealth. Instead of dropping code, attackers increasingly use what is already available on the system—common utilities, scheduled tasks, shell scripts, and legitimate administrative consoles. In such cases, no malware is ever deployed. The adversary appears as just another administrator or user, often with stolen or escalated credentials. By using native tools, they leave no forensic signatures for traditional antivirus or intrusion detection systems to catch.

This tactic has been observed in multiple countries, including the United States. APT group Volt Typhoon, attributed to China, reportedly infiltrated American critical infrastructure—including telecom operators—by using only native administrative tools and stolen credentials. For months, organisations were unaware that anything had occurred. Even after some activities were discovered, determining the full extent of the intrusion proved difficult. With no malware or external command-and-control traffic, the attackers left almost no evidence of their presence or their actions.

These operations are not launched for immediate gain. They are designed to establish strategic access to infrastructure that can be leveraged when geopolitical conditions necessitate it. Control over telecom networks means control over the flow of information, both in times of peace and in crisis. In some scenarios, APT groups could intercept government communications, monitor military movements, or prepare to disable critical services entirely.

Why Telecom is a Prime Target

Telecom operators are uniquely vulnerable due to their role at the intersection of national infrastructure and global connectivity. Their networks support banking, transportation, defence, diplomacy, and more. They are also inherently complex, often comprising legacy systems, vendor-supplied hardware, and third-party integrations, which makes it challenging to monitor comprehensively. These factors create vast, fragmented environments where adversaries can hide in plain sight.

In response, a growing number of security professionals and agencies are advocating for a Zero Trust model within telecom and critical infrastructure environments. This model assumes that no user, device, or process—whether inside or outside the network perimeter—should be inherently trusted. Every access request must be continuously verified based on context, behaviour, and strict authentication.

Zero Trust is especially effective against APTs because it limits the attacker’s ability to move laterally within a network using stolen credentials or impersonated identities. Even if attackers gain access through legitimate channels, Zero Trust principles restrict them from freely exploiting that access.

However, implementing Zero Trust is not simply about upgrading firewalls or antivirus software. It requires architectural transformation, including strict identity and access management, least-privilege access controls, real-time behavioural monitoring, network microsegmentation, and continuous authentication. In practice, this means that a compromised administrator account should not have unrestricted access across the infrastructure; its privileges would be tightly scoped, monitored, and revocable.

In parallel, telecom providers must also modernise their infrastructure. APTs often exploit vulnerabilities in outdated systems or devices that were never built with today’s threat environment in mind. Phasing out legacy equipment and enforcing timely security updates across all endpoints is essential, not optional, for resilience.

These intrusions are not about quick disruption—they are about silent persistence, waiting for the right moment to trigger maximum strategic impact.

From Silent Threats to Strategic Defence

Equally important is the need for telecom operators to participate in intelligence-sharing frameworks. APT groups often operate across regions and time zones, targeting multiple geographies simultaneously. Recognising broader attack patterns and connecting the dots requires collaboration. Sharing indicators of compromise (IOCs), anomalous behaviour, and attack tactics can help operators detect and contain threats more quickly, thereby reducing the dwell time of intruders.

It is increasingly clear that APT campaigns targeting telecoms are not isolated events. They reflect a sustained strategic effort to pre-position access within the global communications infrastructure. These campaigns are akin to placing listening devices and control mechanisms deep inside an adversary’s territory, without launching a single overt attack.

These attackers are not in a hurry. They are already inside systems, using the same tools as legitimate administrators, hiding in corners most people do not think to inspect. By the time a minor anomaly surfaces, the breach may have already caused systemic impact.

This is why the defence of telecom infrastructure must be treated not only as a matter of operational reliability but as a critical pillar of national security and geopolitical stability. The networks that connect the world must be defended not just from known threats, but also from those already inside—silent, invisible, and ready.

The author is the Founder and CEO of PygmalionGlobal. He collaborates with multiple cybersecurity companies, including NPCore in South Korea, and engages with government agencies and conglomerates across Asia.