Nokia’s eleventh annual Threat Intelligence Report also finds compromised home connections are enabling a surge in DDoS attacks, and yet there is a lack of urgency among operators…
According to Nokia’s eleventh annual Threat Intelligence Report, cyber attackers are increasingly penetrating core telecom infrastructure undetected, sometimes for years. Also, DDoS attacks have surged to new extremes, powered by compromised home internet connections, and crypto agility “is moving from roadmap to requirement”.
Stealth campaigns target telco core
Attackers have stepped up intrusions into core networks, in some cases reaching sensitive systems like subscriber data and lawful interception platforms, as seen in the high-profile Salt Typhoon case: in October 2024, it was reported that state-sponsored hackers, backed by the People’s Republic of China, infiltrated US telecoms companies including internet service providers.
Nokia’s research found that invaders often hide in plain sight by abusing trusted tools known as ‘living off the land’ attacks, unpatched devices and misconfigurations:
- 63% of operators faced at least one living off the land attack last year and 32% suffered four or more.
- Multi-year, low-profile infections have led to major data exposure and forced operators into costly remediation, highlighting the business and reputational risks of long-term, privileged access.
- As the CISO from one leading network operator in North America said, “Salt Typhoon was the most significant cybersecurity incident we faced in the last 12 months. … Some of the entry points were put in place years ago, just sitting and waiting for the right moment to trigger.”
DDoS attacks are shorter, more powerful
Terabit-scale DDoS attacks are a daily reality, up from once every five days in 2024, and gigabit residential broadband connectivity is amplifying the dangers:
- DDoS peaks in the 5 to 10Tbps range are the “new normal,” escalating faster than most alert systems can raise alarms.Â
- Some 78% of DDoS attacks now end within five minutes (up from 44% in 2024), with 37% ceasing in under two minutes, highlighting the need for rapid detection and mitigation.
- Over 100 million residential endpoints (4% of the global total) are available to be exploited including malicious uses of bandwidth.
AI is central to defence, with quantum-safe nets the next frontier
More than 70% of telecom security leaders prioritise AI- and ML-based threat analytics, and more than half plan to deploy AI for detection within 18 months — a direct response to stealthy attacks and rapid DDoS campaigns. Nokia states, “telcos also need to adopt automated certificate management and encryption that’s ready for the quantum future”.
The research found that:
- The timespan in which digital certificates remain valid is shrinking dramatically, from over a year now to just 47 days by 2029.
- Despite upcoming compliance deadlines from governing bodies — particularly in the European Union — the industry’s sense of urgency is low; for instance, risk around quantum computing ranks second to last among concerns for network security professionals.
Insider risk, human error and misconfigurations
Nearly 60% of high-cost breaches stem from insider actions or mistakes, with complex supply chains increasing exposure to credential misuse, privilege escalation and physical access breaches. The report states that:
- poor hygiene as 76% of vulnerabilities stem from missing patches.
- Application‑layer issues, including poor access controls and exploitable software flaws, are prevalent as digital services expand.
“Connectivity powers everything from public safety and financial transactions to digital identity. Recent attacks have reached lawful interception systems, leaked sensitive subscriber data and disrupted emergency services.
“The industry must fight back through shared threat intelligence, AI-driven detection and response, and crypto-agility, turning interconnected networks from a vulnerability into a source of resilience,” said Kal De, Senior Vice President, Product and Engineering, Cloud and Network Services, Nokia.
Jeff Smith, Vice President and General Manager, Deepfield, Nokia, added, “In light of the rise of industrialised attack tools, millions of insecure IoT endpoints and organised botnets employing residential proxies, network owners must act now to protect their assets and customers from massive, complex and highly variable DDoS attacks in the 10+ terabit range.
“Security should not be an afterthought; rather, DDoS protection must be built into the network itself, ensuring critical network functions continue uninterrupted.”
About the report
The Nokia’s Threat Intelligence Report draws on operational insights from the company’s NetGuard and Deepfield portfolios, real-world data from Managed Security Services operations, research from Nokia Bell Labs and its expertise in cybersecurity consulting and quantum-safe networking.
These sources are complemented by quantitative and qualitative insights from 160 global telecom security leaders. The report includes a set of recommendations spanning threat detection and response, AI adoption, DDoS mitigation, regulatory compliance, quantum readiness and more, to help telecom operators strengthen resilience across their networks.Â
