Home
/
Blog
/

TelcoSec Talk: A Deep Dive into 2025 Telecom Attacks

Explore the telecom attacks that defined 2025, from Salt Typhoon and SK Telecom to Liminal Panda, and learn what they reveal about segmentation, roaming exposure, lawful intercept risk, and telecom attack paths.

Webinars
May 28, 2026
TelcoSec Talk: A Deep Dive into 2025 Telecom Attacks

2025 made one thing impossible to ignore: telecom networks remain one of the most strategically valuable targets in cybersecurity. The attacks that surfaced this year were not random opportunistic incidents. They were patient, focused, and designed to reach the parts of mobile infrastructure that matter most: management systems, subscriber data, signaling assets, lawful intercept environments, and the trust boundaries operators still depend on.

In this TelcoSec Talk, P1 Security experts El Mehdi Regragui and Kye Grundy broke down the telecom attacks that mattered most in 2025 and explained what operators should actually learn from them. Rather than treating every incident as just another headline, the discussion focused on how attackers got in, how they stayed hidden, what they were after, and why the same weaknesses keep reappearing across telecom environments.

The result is a useful snapshot of the current telecom threat landscape. The lesson is not just that attackers are getting better. It is that telecom environments still give them too many routes to move from initial compromise to operationally sensitive systems.

Why 2025 felt different for telecom security

One of the clearest themes from the discussion was that 2025 did not just produce more telecom incidents. It exposed the real scale of telecom exposure. Pierre opened the session by noting that operators are now under more pressure to be transparent about incidents, and that this is helping the sector see how exposed telecom assets really are. That visibility matters because it shows how strongly attackers are incentivized to target mobile networks and how willing they are to use broad resources to do it.

That context shaped the whole conversation. This was not a generic threat roundup. It was a practical discussion about the attacks that best reveal how modern telecom compromise actually works.

Why SK Telecom was a wake up call

For El Mehdi Regragui, the SK Telecom case stood out as one of the most important telecom attacks to study. His reason was simple: it demonstrated what happens when core security baselines are missing or weak. He pointed to three problems in particular: insufficient network segmentation, weak hardening, and poor ability to detect advanced attackers early enough. According to his explanation, the attackers had been in the network since 2021 and were able to move from internet facing access into operational and management environments, eventually reaching highly sensitive telecom assets such as the HLR or HSS where subscriber secrets could be extracted.

What made the case especially important was not only the duration of the compromise. It was the business impact. Mehdi described SK Telecom as a moment that changed operator thinking. Instead of asking only whether their perimeter was secure, operators began asking a more realistic question: if an attacker is already inside, how far can they get from there? That shift matters because it moves telecom security from a perimeter model toward an assumed breach model, which is much closer to the reality of modern APT activity.

Why Salt Typhoon was one of the most important APT cases of the year

Kye Grundy chose Salt Typhoon as the most striking APT case in the recent telecom landscape. His reasoning focused on two things: the sophistication of the operation and the sensitivity of what the attackers reached. He emphasized that Salt Typhoon was not behaving like a typical financially motivated intrusion. It was a state sponsored espionage operation targeting critical national infrastructure, with objectives that reportedly included access to lawful intercept systems and communications involving high profile government officials.

What made the case especially serious was the level of access combined with the attackers’ ability to remain hidden for an extended period. Kye explained that Salt Typhoon reportedly operated inside multiple telecom networks for over two years while collecting highly sensitive information. The group initially entered through edge network devices such as routers and firewalls, then moved laterally inside and across telecom environments. That pattern matters because it shows how attacks can begin in what looks like standard IP infrastructure but quickly become telecom specific once the attackers identify the right path inward.

How attackers stay hidden inside telecom networks

A major part of the discussion focused on stealth. Kye described several ways sophisticated attackers can remain undetected after gaining access. Some techniques are familiar from enterprise intrusions, such as living off the land and avoiding obvious changes to the environment. The attacker does not always need to drop noisy tooling. They can use what is already present and communicate in ways that blend into the expected baseline.

But telecom adds another layer of difficulty for defenders. Kye explained that telecom networks are already highly complex, with multiple generations of technology coexisting, each with their own interfaces, flows, and operational behavior. In that environment, spotting malicious activity becomes much harder because the background noise is already so rich and varied. He also noted that attackers can hide inside newer cloud native deployments by using containers as pivot points, which becomes especially difficult to detect when logging and security telemetry are still not mature enough in telecom specific containerized environments.

Mehdi added that detection gaps remain a serious structural problem in telecom. In his view, operators still too often lack deep visibility into their own environments, especially on the operational side. He pointed out that some environments still do not deploy EDR broadly or only use it in lab contexts rather than production. He also described how modern malware can use staged loaders, fileless execution, encryption, and persistence tricks such as ICMP or port knocking based activation to stay hidden even longer.

Lawful intercept is a strategic target, but if the attacker reaches it, the failure started earlier

One of the webinar questions addressed lawful intercept directly. Mehdi’s answer was important because it avoided a common analytical mistake. He argued that by the time an attacker reaches lawful intercept, the real defensive failure happened much earlier in the kill chain. The issue is not only whether lawful intercept itself is exposed. The issue is that the attacker was allowed to move far enough through the operator’s environment to reach it.

That point matters because it reinforces the same lesson seen in other telecom incidents. The decisive controls are often segmentation, hardening, access control, and detection at earlier layers. Lawful intercept may be one of the most sensitive targets in the network, but the operational question is how many trust boundaries failed before the attacker got there.

The biggest telecom weaknesses are still basic ones

One of the strongest practical takeaways from the webinar was also one of the least glamorous: attackers still succeed with weaknesses that should already be under control. Mehdi argued that poor network segmentation and default or weak credentials remain two of the most important enablers of telecom compromise. In his description, many attacks begin from internet facing entry points such as edge devices, VPNs, firewalls, or employees reached through phishing or fake job offers. Once inside, flat paths toward OSS or NMS environments create the real problem. If the attacker can bridge from IT into operational management, they can begin to control the telecom environment itself.

His point was blunt and useful: sophisticated APTs will happily use simple weaknesses if those weaknesses work. There is no reason to spend a zero day if default passwords and poor segmentation are already enough to move laterally toward the crown jewels.

Liminal Panda showed why roaming remains a real attack path

The discussion also looked at Liminal Panda, which Mehdi described as especially interesting because it approached operators from the roaming side. In that case, the attack path exploited trust between operators. The group scanned the attack surface exposed through roaming relationships and found management style exposure that should never have been reachable there. Mehdi pointed specifically to external DNS exposed over the roaming perspective and explained that the attackers were able to use this as an entry path, then continue laterally through SSH and other mechanisms toward core systems such as SGSN.

What made the case notable was not only the entry path, but the exfiltration and command and control choices. Mehdi highlighted that data exfiltration over GTP or SS7 and command and control over DNS point to deep telecom awareness. In other words, this was not simply an enterprise intrusion that happened to touch telecom. It was an operation shaped around telecom infrastructure and signaling behavior.

Red teaming demand is increasing because operators now assume compromise

Pierre’s comments during the webinar help explain why more operators are now asking for realistic telecom red team exercises. In his words, compromise is easy enough that operators increasingly need to assume some level of breach and work from there. That is changing how P1’s customers frame security questions. Instead of asking only whether the perimeter is exposed, they want to know what happens if the attacker starts somewhere deeper in the environment and begins moving toward management systems, signaling planes, or subscriber data stores.  

That is a critical shift because it aligns telecom security testing with how APT campaigns actually unfold. Real attackers do not stop where security teams hope they will stop.

Supply chain risk is real, but telecom still struggles with visibility

The webinar also touched on supply chain security and software bill of materials. Kye noted that newer telecom security requirements are increasingly asking vendors to provide better transparency around the components that make up their software, which can help operators understand whether a vulnerable library or open source dependency affects their environment.

Mehdi added a more grounded operational view. In practice, operators and even vendors often still lack complete visibility into the layers of software included in their own products, especially where third party components are nested inside other vendor software. His point was that SBOM helps, but the real challenge is that incomplete visibility makes it difficult to patch what no one fully knows is there.

This is a recurring telecom problem. The architecture is layered, the ownership is fragmented, and the attack surface keeps expanding faster than transparency improves.

Where attackers want to go once they are inside

Later in the discussion, Pierre asked the experts where they would aim if they were already inside an operator environment. Kye’s answer was clear: the network management systems. His reasoning was that privileged access there can give an attacker very broad control across telecom infrastructure. If not that, he pointed to lateral movement toward highly sensitive data stores such as UDR where subscriber keys may be reachable. He connected that directly back to cases like SK Telecom, where access to subscriber keys created major downstream impact.

Mehdi approached the same question from the APT side and again brought the answer back to internet facing access, employee compromise, and movement toward OAM, NMS, and ultimately telecom core functions. His view was consistent throughout the webinar: the attacker often starts in very familiar places, but the real risk begins when weak segmentation lets them cross into operational systems.

New telecom attack surfaces are growing faster than security maturity

The webinar also looked forward. Open RAN, enterprise connected edge deployments, slicing, and non terrestrial network exposure all expand the number of places where trust and attack surface can collide. Kye discussed zero trust as an important design direction, especially in the O RAN context, but was careful to say that the sector is still far from full maturity. His point was that telecom should not automatically trust internal network functions simply because they live inside the same environment. Stronger identity, microsegmentation, and more dynamic trust decisions are needed, but that transition is still underway.

Mehdi added that O RAN and disaggregated architectures also create new practical attack opportunities. If an attacker can tamper with or replace components in the field, the expanded and more modular architecture can create additional pivot points. His conclusion was that telecom attack surface is still growing, and the defensive model has to grow with it.

AI is making both sides move faster

The session closed with an important point about AI. Mehdi argued that AI will only accelerate what is already happening. Attackers are already using it to scale activity, improve malware workflows, and support offensive operations. His view was that operators must start using AI more aggressively on the defensive side as well, especially for detection and response, because the attackers are not waiting.

That point fits the rest of the discussion. Telecom security is not failing because defenders lack theory. It is failing because the environment is large, complex, under segmented, and often under monitored. AI may help improve that, but only if operators use it to strengthen fundamentals rather than as another checkbox.

Final thoughts

This webinar worked because it stayed practical. It did not reduce telecom security to vague statements about cyber risk. It used concrete cases like SK Telecom, Salt Typhoon, and Liminal Panda to show how telecom compromise really happens: edge exposure, employee compromise, flat trust relationships, weak segmentation, default credentials, immature visibility, and long dwell time.  

The broader lesson is clear. Telecom remains one of the most consequential cyber battlegrounds because compromise there does not only expose data. As Kye noted near the end of the discussion, telecom attacks can endanger lives by disrupting emergency communications and core services during crises. That is why telecom security can no longer be treated as a slow moving compliance topic. It is a live operational defense problem, and the sector needs to act like it.

Watch the recording
Summary
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.