Mobile devices now allow people to navigate, communicate and transact from almost anywhere in the world. A simple tap can pay for a coffee, give instant access to public transport or send money to a friend in seconds. Connectivity has become a constant of everyday life.
But mobile infrastructure underpins far more than convenience. What were once more simple communications networks now serve as mission-critical systems, supporting everything from emergency response teams and complex healthcare systems to financial platforms and essential public services, shaping how we live, work and do business.
However, with greater connectivity also comes greater exposure and as networks become more interconnected, the attack surfaces expand. Every interface, protocol and software layer introduces a new potential entry point for attack.
Over the past year alone, telecom providers have faced everything from large-scale espionage campaigns targeting core network infrastructure to data breaches exposing hundreds of thousands of customer records. The rising number of such incidents underlines a troubling reality: telecom providers are now prime targets for cybercriminals and state-backed groups due to the sensitive data and critical national infrastructure they manage. Against this backdrop, four threats in particular stand out for their speed and impact.
Stealthy campaigns target the telco core
Adversaries are becoming more coordinated and deliberate in their targeting of telecom networks. Rather than opportunistic strikes, attackers are increasingly focusing on the telco core itself with coordinated, infrastructure-level campaigns. Over the past year, 63% of telecom providers experienced at least one so-called “living-off-the-land” intrusion, while nearly a third reported four or more such attacks.
These attacks reflect a clear shift in strategy. Attackers are no longer looking for quick wins; instead, they are embedding themselves within networks by blending into routine administration, misusing trusted tools and exploiting configuration drift. By operating in ways that appear legitimate, they can move laterally across critical systems, from orchestration layers and mobile core signalling to subscriber databases and lawful interception paths, without triggering traditional security alerts. When legitimate activity becomes the disguise, the telco core itself becomes the attack surface.
The Salt Typhoon campaign is a prime example of this shift. By exploiting long-standing entry points, attackers compromised lawful interception systems. They maintained long-term, privileged access across networks in more than 80 countries, demonstrating just how deeply they can now embed themselves within telecom environments. More recently, the breach at British operator Brsk, where around 230,000 customer records were reportedly stolen and auctioned online, further highlighted the scale of data and trust at stake.
The evolution of DDoS attacks
DDoS attacks no longer resemble slow-building traffic floods. Instead, they strike fast and at scale, overwhelming networks before traditional defences have time to respond. Traffic peaking at 5–10 Tbps has become a daily reality, with 78% of DDoS attacks now ending within five minutes, and 37% wrapping up in under two minutes.
This shift is driven by a more mature and accessible attack ecosystem. Residential proxy networks built on more than 100 million hijacked home devices combined with Mirai-derived botnets, are giving attackers instant access to enormous bandwidth. The result is multi-terabit floods that can be launched and withdrawn within minutes. In this environment, resilience hinges on sub-minute detection and mitigation, ideally triggered across multiple vantage points before the first wave hits.
AI on both sides of the battlefield
AI is shaping both sides of telecom security. Adversaries are using automation and AI to move faster through networks, making phishing and social engineering more convincing, and adapting malware and exploits to telecom-specific systems. The latest threat intelligence data shows that phishing and social engineering remain the leading root cause of major cyber incidents globally, cited in 25.6% of cases, while 55% of telecom providers report malware engineered specifically for telecom protocols with 45.1% encountering custom-built toolkits.
In response, telecom security leaders are increasingly turning to AI to defend against rising stealthy attacks and rapid DDoS campaigns. More than 70% now rely on AI/ML‑based threat analytics, including predictive models, instant context and governed automation to strengthen network resilience.
Hidden implants and protocol abuse
Attackers are now pushing deeper into telecom infrastructure, targeting management planes and telco-native protocols that sit at the heart of network operations. These intrusions can remain hidden for long periods of time, often in areas where traditional IT security has blind spots, lying dormant until remote commands activate them.
When attackers gain control at this level, the consequences extend far beyond data theft. Service integrity can be disrupted, recovery becomes more complex, and confidence in the network itself is undermined. In fact, 44.4% of operators rank reputational damage as the most serious consequence of a breach, ahead of both financial loss and technical disruption.
Building resilience into the core
As network threats continue to evolve, resilience will increasingly depend on how effectively security is integrated into every layer of network architecture. Instead of treating security as an overlay, telecom providers must embed protection across every layer, from infrastructure and operations to governance. Achieving this requires adopting continuous monitoring, zero-trust principles, and a security-by-design mindset at the core.
A key part of this approach is the ability to detect early indicators of abnormal behaviour and contain potential threats before services are impacted. Continuous monitoring across core network domains, supported by anomaly detection and trust validation designed specifically for telecom traffic, enables operators to spot subtle changes that may otherwise go unnoticed.
Limiting attacker dwell time is equally important. Closing identity gaps through regular credential rotation, strong authentication for network devices and tighter controls on shared accounts reduces opportunities for persistence and lateral movement, helping contain incidents at an early stage.
AI is becoming a powerful enabler of this shift, supporting faster and more precise detection and response while improving visibility across complex environments. When deployed with clear governance, explainability and human oversight, AI-driven systems can strengthen proactive threat hunting and decision-making without undermining accountability.
By combining automation with human expertise and embedding security throughout the architecture, telecom providers can ensure the networks we all depend on remain trusted, resilient and dependable against next-generation threats.
