22 Dec 2025 
10 min read This edition of the Kaspersky Security Bulletin 2025 focuses on cybersecurity in the telecommunications sector, examining real-world incidents and key threat trends affecting network operators and service providers.
Telecommunications providers are entering 2026 with a threat landscape that is both familiar and evolving. The pressures that dominated 2025 are not transient; they will remain persistent drivers of operational risk next year. At the same time, the sector is moving from “technology roadmap” to real-world implementation. These advances can strengthen resilience over the long term, but in the near term they introduce new integration points, dependencies, and failure modes — creating scenarios where speed, complexity, and uneven adoption can amplify disruption.
Leonid Bezvershenko
Senior Security Researcher at Kaspersky GReAT
2025 telecom sector cybersecurity in figures
12.79% of users in the telecom sector faced web threats.*
20.76% of users in the telecom sector faced on-device threats.*
9.86% of telecom companies faced ransomware this year.**
32.18% the share of Windows users targeted by different types of threats in the telecommunications sector in 2025.*
27.81% the share of MacOS users targeted by different types of threats in the telecommunications sector in 2025.*
*November 2024 through October 2025.
**KSN Data, November 2024 through October 2025.
Worldwide 9.86% of organizations in the telecom sector were affected by ransomware, with 7.94% in Africa, 9.22% in Russia & CIS, and 7.36% in APAC (KSN Data, November 2024 through October 2025).
Cybersecurity trends and cases shaping the telecommunication sector in 2025
Telecommunications providers remained high-value APT targets throughout 2025.
Their networks occupy strategic chokepoints — compromising carrier infrastructure, particularly backbone and edge routing, delivers broad visibility and persistent access for large-scale cyberespionage while creating disruption leverage. The Salt Typhoon 2025 campaign exemplified this pattern, targeting telecom environments globally with specific focus on routing infrastructure.
In April, Kaspersky GReAT revealed Lazarus Group's "Operation SyncHole," which compromised at least six South Korean organizations including telecommunications providers through watering-hole attacks exploiting vulnerabilities in browser-integrated tools. Earlier that year, Kaspersky identified ForumTroll, a newly discovered APT actor whose victim portfolio featured telecommunications companies.
Supply-chain remained a high‑impact access vector.
Telecom environments are inherently multi‑vendor and integration-heavy, and they depend on a large perimeter of contractors, managed services, and ubiquitous “glue” platforms for collaboration and workflow — so a compromise in a widely deployed product can become a single point of failure that exposes credentials, configurations, and operational documentation and enables pivoting from corporate IT into service delivery.
In July 2025, the “ToolShell” wave became a clear illustration of this risk: an exploit chain in on‑premises Microsoft SharePoint enabled unauthenticated remote code execution and web‑shell deployment on internet‑facing SharePoint servers. Public reporting indicated that telecom organizations were among the victims, including an Asian telecommunications company in the initial exploitation wave and, later, a telecommunications service provider in the Middle East.
DDoS activity posed a direct load and congestion challenge for telecoms.
Volumetric floods saturated peering/transit links, overloaded edge routing and mitigation gear, and triggered collateral effects on shared infrastructure. NTT Docomo, for example, blamed a ~11-hour outage on Jan. 2 (impacting 90M subscribers’ access to goo portal, dpay, etc.) on DDoS-induced network congestion.
In June 2025, Kaspersky GReAT documented continued botnet recruitment of insecure IoT devices: a new Mirai variant was observed targeting exposed DVR devices by exploiting CVE-2024-3721, reinforcing how widely deployed, weakly managed IoT can be conscripted into large-scale DDoS infrastructure.
What telecommunications cybersecurity might face in 2026
Execution-at-scale risk from AI-assisted network management.
In 2026, telecom operators could face a non-trivial risk of AI-related service disruption — not because “AI will run the network,” but because providers are increasingly using AI to monitor, predict, and automatically fix issues across large, complex infrastructures. Flawed configuration templates or poisoned data signals can be deployed across complex infrastructures instantly. If underlying data is noisy or manipulated, AI systems may execute "confidently wrong" actions, leading to widespread outages.
Operational risk from accelerated post-quantum cryptography transitions.
Telecom providers may encounter a non-trivial risk of PQC transition-induced service disruption from rushed, uneven deployment of post-quantum and hybrid cryptography across the telecom IT, management, and interconnect security planes. The underlying driver remains “harvest now, decrypt later”: malicious actors can collect encrypted data today and attempt decryption in the future, which pushes providers to accelerate migration planning. However, timelines for cryptographically relevant quantum computers are uncertain, so the practical near-term hazard is operational instability during the transition rather than immediate quantum decryption.
Service continuity risk from expanding 5G-to-satellite integration.
In 2026, 5G's direct integration with Low Earth Orbit constellations (NTN) may create satellite-linked disruptions as it expands the attack surface into unfamiliar territory: ground-station networks, management portals, and terrestrial-space coordination software. The logic is simple: more integration points and partners create more potential compromise vectors. A compromise of a ground-side system could, even for a short window, enable disruptive changes to how service is routed or managed.
Recommendations for users and organizations
- Track the APT landscape and telecom-relevant infrastructure continuously.
Kaspersky Threat Intelligence Portal helps to monitor actor and campaign context, and pair that intelligence with regular security awareness training so employees can recognize suspicious activity and apply security policies consistently. - Treat AI-driven network automation as a change-management program.
Keep a human override for high-impact actions, roll out in stages with clear rollback paths, and continuously validate the data feeding AI systems so noisy or manipulated inputs cannot trigger “confidently wrong” changes at scale. - Increase DDoS readiness as a capacity-management problem.
Validate upstream mitigation, protect edge routing, and monitor for congestion signals that precede customer impact. Use threat intelligence to enrich indicators and spot botnet infrastructure early. - Deploy an EDR capability such as Kaspersky Next EDR Expert to detect advanced threats early, support rapid investigation, and enable effective incident containment and remediation.