Telecommunications service providers (TSP) are foundational to the functioning of our modern technical society, serving as the conduit through which many critical infrastructure sectors maintain communication, coordination, and control. While industrial control systems (ICS) typically operate within isolated operational networks/enclaves, some critical infrastructure sectors depend on TSPs for remote monitoring, data transmission, or secure connectivity across dispersed sites. For example, this dependency is seen in sectors such as communications, energy, water and wastewater, transportation, emergency services, and critical manufacturing. The intersection of TSP and critical infrastructure presents an attractive target for malicious actors, as weaknesses in telecommunications infrastructure can provide a conduit for the potential of disrupting, intercepting or manipulating communications as seen in many Advanced Persistent Threat (APT) campaigns.
Telecoms Increasingly Targeted by Adversaries
TSPs have become a central focus for cyber adversaries due to their dual role as both infrastructure and intelligence gateways. Groups like Sandworm in Ukraine, Salt Typhoon in the U.S and globally, and the Volt Typhoon campaign against a Guam TSP illustrate how telecoms are now critical nodes in cyber operations. Threat actors exploit telecom environments to harvest sensitive intelligence driven data and subscriber information and deploy ransomware for financial gain. Critically, they could also use this access for advanced recon and access interdependencies that lead to other sectors (e.g., energy, emergency services, or military communications). Once inside a telecom provider’s environment, attackers can tap into the systems that manage how calls, messages, and data are routed (SS7/Diameter), as well as the platforms used to administer customer accounts and network operations (OSS/BSS). They may also target managed infrastructure—core routers, switches, and other network appliances—that handle internal and customer traffic. These aren’t just telecom-specific systems—they’re strategic assets. From here, adversaries can quietly observe, exfiltrate data, or move laterally into other connected sectors. Even if the breach is detected at the telecom level, it’s possible the attacker has already pivoted into customer networks or embedded themselves in managed infrastructure, lying in wait for a future opportunity. As global tensions rise, these networks are no longer neutral infrastructure — they’re contested terrain.
Cross-Sector Cyber Risk: Lessons from Modern Campaigns
Recent campaigns underscore a troubling trend that threat actors are breaching TSPs, not as an end goal, but as a gateway into broader critical infrastructure. In 2024, China-linked Salt Typhoon infiltrated major telecoms using both credential abuse and long-standing router vulnerabilities, harvesting sensitive metadata and potentially accessing systems linked to political and national security interests. Similarly, Volt Typhoon (active since at least 2021) used stealthy, “living off the land” techniques to persist inside telecom and infrastructure networks across sectors like energy, water, and transportation, embedding themselves within control systems. These operations suggest not just espionage or profit driven operations but contingency planning for future disruption. In 2023, Sandworm infiltrated Kyivstar, Ukraine’s largest TSP, disrupting services for approximately 24 million users. While the headlines focused mainly on the destruction and degradation used in these campaigns end state, the many months that the adversary was embedded was likely utilized to evaluate pathways to other targets and maintain operations outside of the crippled TSP.
Looking Ahead
As the threat landscape continues to evolve, defenders must prepare for adversaries who view TSPs not as final targets, but as strategic entry points into broader ecosystems. Future campaigns will likely continue to blur the lines between sectors, exploiting trusted interconnectivity to attempt to map and move from TSPs to other critical infrastructure. Since incident response generally focuses on the direct compromise (scope, cost, authority, etc.), there is often a blind spot when it comes to assessing where attackers may have already pivoted if outside this scope. This underscores the need for integrated threat hunting and information sharing across both provider and customer environments, improved telemetry on managed infrastructure, and proactive cross-sector collaboration. Defenders must expand their scope beyond containment and eradication to consider the long game, adversary dormant periods, to disrupt the attacker’s ability to nest in one sector with the goal of reaching into another.
About the Author
Trea Zemaitis, a Senior Security Engineer with Core4ce and has extensive experience in vulnerability/penetration testing assessments, computer forensics, and SOC operations. His career spans public and private sectors, consulting, and military roles, where he has led global security engagements, to include red and purple teaming. Trea also holds advanced degrees in Cybersecurity and Economics, with a focus on game theory, and has a wide range of advanced industry certifications.
