Cyberattacks on telecom networks surge in 2025: Cyble

Cyble Research & Intelligence Labs (CRIL) has released its Telecommunications Sector Threat Landscape Report 2025, offering a detailed assessment of the cyber threats faced by telecom operators worldwide during the year. The report identifies the telecommunications sector as one of the most heavily targeted industries, attracting sustained interest from cybercriminal groups, ransomware operators, nation-state actors and hacktivist collectives. This heightened threat activity is driven by the sector’s role as critical national infrastructure and the high monetisation value of subscriber Personally Identifiable Information (PII).

According to Cyble’s researchers, 444 telecom-related threat incidents were observed over the course of 2025. These incidents highlight how stolen subscriber data and compromised network access have become commodities actively traded on cybercrime forums. The report also points to a sharp rise in ransomware activity, noting that attacks on telecom organisations have increased four-fold over the past four years. In 2025 alone, 90 ransomware attacks were recorded, attributed to 34 different ransomware groups.

Despite the large number of groups involved, the report finds that ransomware activity in the telecom sector remains highly concentrated. A small cluster of operators, Qilin, Akira and Play, were responsible for nearly 39% of all observed ransomware attacks, underscoring the outsized impact of a few well-resourced and persistent threat actors.

Beyond financially motivated attacks, the report draws attention to the growing scale and sophistication of nation-state cyber espionage. Cyble highlights activity linked to the China-associated Salt Typhoon campaign, which targeted telecom networks to establish long-term persistence and surveillance capabilities. These operations reportedly enabled the theft of sensitive data, including call records, reinforcing concerns about telecom infrastructure being exploited for strategic intelligence gathering.

Commenting on the findings, Mandar Patil, Senior Vice President at Cyble, said that 2025 saw telecom providers facing a convergence of threats ranging from ransomware and espionage to SIM swapping services and large-scale data leaks. He noted that many of these attacks were enabled by the rapid weaponisation of vulnerabilities in internet-facing systems and edge devices, making proactive patching and continuous monitoring critical rather than optional.

Geographically, the report indicates that ransomware attacks were heavily concentrated in the Americas, which accounted for 69% of recorded incidents, with the United States emerging as one of the most targeted markets. Cyble also observed widespread exploitation of known vulnerabilities, including Ivanti flaws tracked as CVE-2025-0282 and CVE-2025-0283, which were leveraged across multiple telecom attacks during the year.

In parallel, the report documents the expansion of a well-developed underground ecosystem supporting telecom-focused cybercrime. This includes thriving markets for initial network access, SIM swapping services and large customer databases, highlighting how cybercriminal operations against telecom providers have become increasingly organised and industrialised.