Threat Intelligence Report 2025

Latest cybersecurity threats you can’t ignore

Stealth intrusions are reaching the telecom core, DDoS floods hit multi‑terabit peaks within minutes, and cryptography requirements are accelerating.

See what’s changed, what’s at risk, and how the industry is fighting back.

Key resources

What’s inside the report?

Image

Stealthy campaigns targeting the telco core

 

Adversaries are shifting from opportunistic hits to coordinated, infrastructure-level campaigns. They blend into routine administration, using trusted tools and configuration drift to persist inside lawful interception paths, mobile core signaling, orchestration layers and subscriber databases.

Across network operators, 63% encountered at least one “living-off-the-land” campaign over the past 12 months, and almost a third saw four or more. When routine activity becomes the cover, the core becomes a hiding place.

Image

DDoS attacks that are faster, stronger, and relentless

 

DDoS storms aren’t just big in terms of traffic volumes; when they happen, they are fast rising, like a tsunami. Peaks in the 5–10 Tbps range have become a daily norm and can occur in a very short time. 78% percent of DDoS attacks conclude within five minutes, and more than a third are completed in under two minutes.

Residential proxy networks with 100 million+ hijacked home devices and Mirai-descendant botnets like Eleven11 can unleash multi-terabit floods in a few minutes.

The report breaks down multi-vector patterns and shows how to design sub-60-second mitigation at the edge to keep traffic flowing.

Image

Insider risk and hygiene gaps driving costly breaches

 

Nearly 60% of high-cost breaches in telecom stem from insider actions or mistakes, whether malicious or accidental. The report highlights that these incidents are often enabled by gaps in privilege management, credential misuse, and lack of behavioral monitoring. Real-world examples include contractors disabling multi-factor authentication, vendors reusing credentials, and even physical access being exploited to plant rogue devices.

76% of vulnerabilities are due to missing patches. Application flaws, weak passwords, and legacy systems widen the attack surface, making patching and monitoring essential.

Image

Real-world case studies & field data

 

  • Salt Typhoon and BPFDoor show how attackers can persist undetected for months or years, using device-level exploits and kernel implants that evade standard controls. These cases reveal how routine operations can mask long-dwell threats.
  • Bite Latvija’s DDoS telemetry offers a real-world look at attack frequency and complexity, with thousands of multi-vector attacks per year, most peaking within minutes. Their experience underscores why sub-minute, automated enforcement is now essential for effective DDoS defense.
“Salt Typhoon was the most significant cybersecurity incident we faced in the last 12 months… some of the entry points were put in place years ago, just sitting and waiting for the right moment to trigger.”
CISO
Leading CSP in North America

About Nokia’s Threat Intelligence Report

The Nokia Threat Intelligence Report brings together operational insights from NetGuard and Deepfield, real‑world data from Managed Security Services, research from Nokia Bell Labs, and expertise in cybersecurity consulting and quantum‑safe networking. 

It is enriched with quantitative and qualitative input from 160 telecom security leaders worldwide, providing a nuanced, evidence‑based view of risks and responses.

You’ll find practical recommendations across threat detection and response, AI adoption, DDoS mitigation, regulatory compliance, and quantum readiness to help network operators strengthen resilience.

Actionable insights you’ll gain

Image

Spot stealth attacks in the telco core

Practical ways to baseline privileged behavior and surface “living off the land” activity in lawful interception, subscriber data, and core control systems.

Image

Mitigate short, high‑volume DDoS

Design sub‑minute detection and edge mitigation for multi vector, multi terabit DDoS campaigns that peak faster than manual playbooks can react.

Image

Shrink insider and vendor risk

Close high impact gaps with least privilege, just-in-time access, and continuous third party validation mapped to telco realities.

Image

Achieve crypto agility, not crypto fragility

Automate certificate lifecycles now and plan post quantum migration before shortened validity windows trigger outages.

Image

Automate zero-day threat detection

Deploy telecom-aware, ML-based anomaly detection to spot novel threats that traditional tools miss.

Image

Let AI hunt threats for you

Leverage AI to flag subtle, fast-moving attacks, predict attack chains, and auto-trigger playbooks.

Who benefits most from reading?

Security leaders

Understand the latest tactics attackers use to target telecom networks and get practical recommendations to reduce risk and improve response.

Technical teams

Find actionable guidance for detecting stealthy intrusions, responding to DDoS attacks, and closing gaps caused by insider mistakes or poor hygiene.

Risk and compliance professionals

Stay up to date on regulatory changes, cryptography requirements, and operational risks that can lead to outages or penalties.

Threat Intelligence Report 2025

Expert perspectives

FAQs and next steps

Related topics

Related solutions and products

Product

Deepfield Defender

Next-gen, big data and AI-driven DDoS detection and mitigation solution

Topic

DDoS security

Defend your network against botnets and application-layer attacks with an AI-driven DDoS security for fast and accurate detection and real-time mitigation

Ready to talk?

Please complete the form below.

The form is loading, please wait...

Thank you. We have received your inquiry. Please continue browsing.