In September, as world leaders gathered in New York City for a meeting of the United Nations, the U.S. Secret Service was dismantling a nearby covert telecom network capable of disrupting cell towers, blocking emergency calls and overwhelming mobile networks throughout the metro region.

The discovery highlights the shocking extent to which critical communications can be placed at risk — and serves as yet another warning to not only our industry, but countries across the globe. 

Telecom resilience depends on clean identities, controlled change and orchestrated response. These foundations face new pressures as adversaries strike faster, tune attacks to telecom protocols and push deeper into the systems that keep society connected. Telecom security leaders face seconds, not days, to prevent disruptions.

The latest Nokia Threat Intelligence Report confirms this risk is no outlier. Drawing on live network data, advanced research, and new input from over 160 security leaders, the report reveals that attackers are now moving faster and deeper, targeting the very systems that keep networks running. In this environment, four threats stand out for their speed and impact, demanding urgent attention from CISOs in the months ahead.

1) Stealthy intrusions in the telco core

Adversaries are shifting from opportunistic hits to coordinated, infrastructure-level campaigns. They blend into routine administration, using trusted tools and configuration drift to persist inside lawful interception paths, mobile core signaling, orchestration layers and subscriber databases. 

Across network operators, 63% encountered at least one “living-off-the-land” campaign over the past 12 months, and 32% saw four or more. Malware tailored for telecom infrastructure was reported by 55% of operators, and 45.1% faced custom toolkits. When routine activity becomes the cover, the core becomes a hiding place. As the CISO from one leading CSP in North America said of the high-profile Salt Typhoon attack, “Some of the entry points were put in place years ago, just sitting and waiting for the right moment to trigger.” 

2) DDoS attacks: shorter, more frequent, harder to detect

DDoS storms aren’t just big in terms of traffic volumes; when they happen, they are fast-rising, like a tsunami. Peaks in the 5–10 Tbps range have become a daily norm and can occur in a very short time. 78% percent of DDoS attacks conclude within five minutes, and more than a third are completed in under two minutes. That’s barely enough time to notice them, let alone react.

What’s driving this attack agility? An evolved attack ecosystem. Residential proxy networks with 100 million+ hijacked home devices (roughly 4% of global broadband) and Mirai-descendant botnets like Eleven11bot (RapperBot) can unleash multi-terabit floods in a few minutes. Resilience now hinges on sub-minute detection and mitigation, ideally triggered from multiple vantage points before the first wave hits.

3) AI‑accelerated offense

Adversaries are using automation and AI to expedite reconnaissance, localize social engineering and morph payloads beyond simple rules. This includes AI-generated phishing and vishing using voice cloning, polymorphic malware that rewrites itself in real time, and exploit generation targeting telecom protocols.

Telecom security leaders are responding in kind, with over 70% now prioritizing AI/ML‑based threat analytics to close the gap between foothold and business impact, bringing predictive models, instant context and governed automation into daily operations.

4) Hidden implants and protocol abuse in telco DNA

Attackers are moving deeper into telecom infrastructure, targeting management planes and telco-native protocols — areas where generic IT security often has blind spots.

The BPFDoor case exposed how severe this risk can be. A kernel-level implant sat undetected for years, waiting for remote commands. When triggered, it contributed to a breach that exposed 26.9 million subscriber records. Once attackers compromise the control layer, the impact doesn’t stop at data theft. It can ripple into network operations, disrupt services, and cause serious reputational damage.

The Tetris reality

In telecom security, each threat is like a Tetris block falling into the network. When core systems are fully protected, DDoS attacks mitigated, AI-driven intrusions detected and zero-days patched, the line clears silently. Doing the job 100% means success is invisible.

Failures, however, pile up quickly. A misconfigured core, an overlooked vulnerability or a delayed response can stack blocks where everyone sees them: in service disruptions, regulatory scrutiny and loss of trust. True resilience shows itself in networks that continue to operate seamlessly and in the confidence that systems are secure, even when no one notices the work behind them.

Explore the data behind these insights

Nokia’s 11^th annual Threat Intelligence Report delves deeper into stealthy attacks in the telecom core, DDoS at terabit scale, AI adoption, regulatory timelines, and practical steps for resilience across RAN, transport, and core.

Download the 2025 Nokia Threat Intelligence Report