Overview
- Ribbon reported that attackers with suspected nation-state ties accessed its IT network starting in December 2024 and were discovered in early September 2025.
- Investigators determined four older customer files on two laptops were accessed, and the company has notified three smaller affected customers.
- Ribbon says there is no evidence the incident provided access to customer systems, and it is not aware of any government customers being impacted.
- The company believes it has ended the unauthorized access and is working with multiple third-party cybersecurity firms and federal law enforcement.
- Attribution and customer identities were withheld at a federal agency’s request, as experts note telecom suppliers like Ribbon are frequent espionage targets comparable to past campaigns such as Salt Typhoon.