Five security threats to hunt in Radio Access Networks

Modern Radio Access Networks (RAN) are no longer hardware islands; they’re software-defined, virtualized, and deeply interconnected. That agility comes at a cost: a bigger, more complex attack surface that perimeter defenses alone can’t protect. Recent attacks by groups like Salt Typhoon and Weaver Ant show how adversaries exploit “living off the land” tactics and stealthy webshells to slip past defenses and pivot deep into the network.

How confident are you that your radio network hasn’t already been breached?

In this blog, you’ll discover five critical anomalies every telecom operator should hunt for, and why AI-powered threat hunting reveals what routine monitoring misses. These insights come from Nokia’s Advanced Cybersecurity Consulting Services, based on real-world engagements with leading telecom operators, where telco-specific security assessments and proactive threat hunting are now recognized as industry best practices.

Figure 1: Observed cyber kill chain in RAN

1. Brute-force attacks on radio nodes

What it is: Attackers often start by brute-forcing weak or default credentials on radio nodes such as gNBs. If they succeed, they gain a foothold for deeper attacks.

Why it matters: This is a common entry point for campaigns targeting exposed network elements, and it often precedes privilege escalation or lateral movement.

How to hunt: Look for spikes in failed login attempts from single or distributed IPs targeting management interfaces. Use Security Information and Event Management (SIEM) queries to track authentication failures over short time windows and correlate with geolocation anomalies. Example: filter logs for repeated failures on gNB-DU/CU interfaces within a 10-minute window.

2. Lateral movement across the network

What it is: Once inside, attackers aim to move sideways, often through the Network Management System (NMS), to reach more valuable targets.

Why it matters: Compromise of the NMS gives attackers control over multiple network elements, enabling large-scale disruption. Groups like Salt Typhoon and Volt Typhoon have used this tactic.

How to hunt: Watch for accounts behaving oddly, such as an NMS account accessing radio nodes in distant regions or making large-scale configuration changes outside normal hours. Correlation rules in SIEM or Extended Detection and Response (XDR) solutions can highlight unusual authentication paths or privilege use across network segments.

3. Privilege escalation on critical elements

What it is: Attackers rarely settle for basic access; they escalate privileges to gain control over critical systems.

Why it matters: Elevated privileges allow attackers to modify configurations, create new accounts, and execute disruptive commands.

How to hunt: Hunt for accounts suddenly gaining admin rights or performing actions outside their normal role, such as creating new users or modifying system configurations. Compare activity against change-control windows and baseline behaviors. Investigate orphaned or unknown processes running on jump hosts or terminal servers.

4. Unauthorized remote access

What it is: Remote Desktop Protocol (RDP) servers in management environments are prime targets for attackers, often exploited through weak passwords or phishing.

Why it matters: Unauthorized RDP access can lead to ransomware or full network compromise.

How to hunt: Query Windows Event Logs for failed RDP logons (Event ID 4625) and filter for patterns like repeated failures from one IP or multiple accounts. SIEM dashboards can visualize these spikes. Example: create a query for high-frequency failed logins from a single source IP targeting multiple accounts.

5. Rootkits and suspicious binaries

What it is: Advanced attackers hide in plain sight using rootkits that modify system files and kernel modules to stay invisible.

Why it matters: Nokia’s 2025 Threat Intelligence Report highlights that 45% of surveyed telecom security professionals faced threats using custom-built toolkits designed for telecom infrastructure, enabling attackers to maintain stealth for months. These persistence mechanisms often target lawful interception paths and signaling systems, making detection extremely difficult.

How to hunt: Go beyond basic log analysis. Monitor for unexpected changes to system binaries, unknown kernel modules, or unusual API calls. Integrity checks and anomaly detection tools can reveal hooking techniques used by rootkits to intercept system functions. For example, hunt for modifications in kernel-level drivers or unexplained processes tied to critical network components.

Figure 2: Attack behaviors observed by surveyed telecom security professionals
(source: Nokia Threat Intelligence Report 2025)

Why XDR and AI are critical for RAN threat hunting 

Effective threat hunting starts with a clear hypothesis, such as an adversary has gained a foothold in the management network and is now probing for ways to infiltrate the RAN via base stations. From there, the hunt focuses on network traffic and logs originating in the management layer and targeting RAN infrastructure, guided by the latest attack patterns and tactics observed in telecom-specific campaigns.

However, turning a hypothesis into actionable detection requires a multi-layered approach. SIEM platforms remain foundational for aggregating and correlating logs, while SOAR (Security Orchestration, Automation, and Response) accelerates incident response through automation and playbooks. As attacks grow more sophisticated, telecom operators need XDR to unify telemetry across endpoints, networks, and cloud environments, providing the context that SIEM alone cannot.

AI amplifies this stack by detecting subtle patterns, predicting attacker behavior, and reducing false positives at scale. At Nokia, we combine SIEM correlation, SOAR-driven automation, and XDR’s unified detection and response capabilities with AI-powered analytics into a single framework designed for telecom operators. This layered strategy moves beyond reactive monitoring to proactive defense, essential for securing RAN against advanced threats.