Telecom Sector Faces Surge in Ransomware Attacks, Data Theft in 2025
The telecom industry has become a prime target for cybercriminals, with ransomware attacks quadrupling from 24 incidents in 2022 to 90 in 2025, according to a recent threat intelligence report by Cyble. The sector’s critical role in national infrastructure and its vast stores of subscriber data make it a lucrative target for hackers, who exploit vulnerabilities in internet-facing systems and third-party dependencies.
In late 2025, cybercriminals advertised stolen administrator credentials for a major U.S. telecom firm on the dark web for $4,000. The DragonForce ransomware gang also claimed to have exfiltrated over five terabytes of data from another U.S. telecom provider, though no evidence was provided. Cyble identified 444 data theft incidents in the sector, including 133 listings of stolen databases containing sensitive customer and operational information.
The majority of attacks in 2025 were attributed to a handful of ransomware groups, with Qilin leading, followed by Akira and Play. High-profile victims included British telecom giant Orange. Roughly 70% of attacks targeted companies in the Americas, with Europe, Asia-Pacific, and the Middle East and Africa also affected.
Cyble’s report highlighted that many attacks were enabled by the rapid exploitation of zero-day vulnerabilities in network equipment. Nation-state hackers and hacktivist groups further compounded the threat, using DDoS attacks and website defacements to disrupt operations. The telecom sector’s security posture remains a concern for businesses across industries, given its role in enabling secure communications.
Source: https://www.cybersecuritydive.com/news/telecom-ransomware-spike-cyble/809224/
Orange cybersecurity rating report: https://www.rankiteo.com/company/orange
"id": "ORA1767980221",
"linkid": "orange",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'telecommunications',
'location': 'United Kingdom',
'name': 'Orange',
'size': 'large',
'type': 'telecom'},
{'industry': 'telecommunications',
'location': 'United States',
'name': 'Major U.S. telecom firm (unnamed)',
'size': 'large',
'type': 'telecom'}],
'attack_vector': ['unpatched vulnerabilities',
'zero-day exploits',
'internet-facing network equipment',
'third-party service dependencies'],
'data_breach': {'data_exfiltration': 'yes (claimed by DragonForce)',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['customer data',
'subscriber data',
'operational information',
'U.S. wiretap targets '
'information']},
'date_publicly_disclosed': '2025-07',
'description': 'The telecom sector experienced a nearly fourfold spike in '
'ransomware attacks from 2022 to 2025, with 90 attacks in 2025 '
'compared to 24 in 2022. Cybercriminals targeted telecom firms '
'for reselling customer data, gaining strategic advantages, '
'and exploiting internet-facing infrastructure and third-party '
'dependencies. Major ransomware gangs like Qilin, Akira, and '
'Play led the attacks, with victims including Orange. '
'Additionally, 444 incidents of data theft were identified, '
'including 133 listings of stolen databases containing '
'sensitive customer or operational data.',
'impact': {'brand_reputation_impact': 'high',
'data_compromised': 'over five terabytes (claimed by DragonForce), '
'sensitive customer data, operational '
'information, subscriber data, U.S. wiretap '
'targets information',
'identity_theft_risk': 'high',
'operational_impact': 'network disruptions, enterprise business '
'operations disrupted for up to two weeks',
'systems_affected': ['telecom infrastructure',
'customer databases',
'network equipment']},
'initial_access_broker': {'data_sold_on_dark_web': 'yes (stolen databases, '
'customer data)',
'entry_point': 'administrator credentials sold on '
'dark web ($4,000)',
'high_value_targets': 'telecom infrastructure'},
'investigation_status': 'ongoing',
'lessons_learned': "The telecom sector's critical role as national "
'infrastructure and its access to high-volume subscriber '
'data make it a prime target. Frequent exposure through '
'internet-facing infrastructure and third-party '
'dependencies, along with rapid weaponization of '
'vulnerabilities, enables attacks. Bipartisan cooperation '
'is needed for cyber resilience.',
'motivation': ['financial gain',
'strategic advantage over adversary nations',
'geopolitical disruption',
'resale of customer data'],
'post_incident_analysis': {'root_causes': ['unpatched vulnerabilities in '
'internet-facing network equipment',
'third-party service dependencies',
'lax perimeter controls',
'rapid weaponization of zero-day '
'exploits']},
'ransomware': {'data_encryption': 'yes',
'data_exfiltration': 'yes',
'ransomware_strain': ['Qilin', 'Akira', 'Play']},
'recommendations': ['Patch critical and zero-day vulnerabilities promptly',
'Enhance perimeter controls and network segmentation',
'Improve third-party risk management',
'Strengthen incident response plans',
'Increase monitoring and adaptive security measures',
'Foster bipartisan cooperation for cyber resilience'],
'references': [{'date_accessed': '2025-07',
'source': 'Cyble Threat Intelligence Report'},
{'source': 'TechTarget/Informa'}],
'threat_actor': ['Qilin',
'Akira',
'Play',
'DragonForce',
'nation-state hackers',
'hacktivists'],
'title': 'Telecom Sector Cyber Incidents and Ransomware Surge (2022-2025)',
'type': ['ransomware', 'data_breach', 'initial_access_broker'],
'vulnerability_exploited': ['critical and zero-day vulnerabilities in '
'internet-facing network equipment']}