Nation-state snoops broke into Ribbon Communications - an outfit that provides software and networking gear to Verizon, CenturyLink, and the US Defense Department - last December, remained hidden for about nine months, and stole files belonging to three customers, according to the US telecommunications firm.
"Ribbon prides itself on our long-standing partnerships with our customers and we know that security is a paramount concern within their networks," a spokesperson told The Register. "While we do not have evidence at this time that would indicate the threat actor gained access to any material information, we continue to work with our third-party experts to confirm this."
Ribbon has also taken steps to improve its network security and prevent future intrusions, we're told.
The firm's breach confirmation to The Register follows an October 23 US Securities and Exchange Commission (SEC) filing in which Ribbon said it uncovered the digital intrusion in early September.
"The Company became aware that unauthorized persons, reportedly associated with a nation-state actor, had gained access to the Company's IT network," according to Ribbon's quarterly report.
The filing doesn't identify the attacker and the company's spokesperson declined to say who was responsible for the intrusion, "in keeping with the request of the federal agency assisting Ribbon."
"Several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor and those customers have been notified by the Company," according to the SEC filing.
The company spokesperson confirmed the incident impacted three "smaller customers" but declined to name them or identify the sectors in which they operate. "A total of four older files were accessed" is all we've been told.
Ribbon also told the SEC that "multiple" third-party cybersecurity experts and federal law enforcement are assisting with the ongoing clean-up efforts. "While the investigation is ongoing, the Company believes that it has been successful in terminating the unauthorized access by the threat actor," it said.
US Cybersecurity and Infrastructure Security Agency (CISA) spokesperson Marci McCarthy confirmed to The Register that "CISA is aware of Ribbon Communications' disclosure today involving an incident with the company's IT network," and directed any questions about the incident and response to the company.
Ribbon provides communications software and IP Optical networking gear to major service providers including BT, Verizon, Lumen Technologies (formerly CenturyLink), Deutsche Telekom, SoftBank, TalkTalk, and Tata, along with government agencies such as the US Department of Defense, and local governments including the City of Los Angeles, California.
This makes it a high-value target for government-backed snoops looking to attack a carrier network and then use that access to break into its customers' environments. And, at least with the limited amount of detail we have about the intrusion, it sounds similar to recent Salt Typhoon intrusions.
This China-linked espionage crew famously hacked America's major telecommunications firms and government agencies, then stole information belonging to nearly every American. The Salt Typhoon hacks began around 2019, but US authorities did not uncover them until late 2024.
At the time, T-Mobile's US security boss told The Register that the Salt Typhoon cyber-spies hopped between organizations' networks in a way he'd never seen before.
"The technique that was used to go from one telecommunications infrastructure to another, I would say, is novel," T-Mo Chief Security Officer Jeff Simon told us late last year. "That's not something that I've seen in my 15-plus-year career in cybersecurity. It's not something that is well published or read about. There's no CVE for it." ®