The recently published Nokia Threat Intelligence Report 2025 delivers a stark warning to the telecommunications sector: the threat landscape has strategically matured. Threat actors are no longer relying primarily on scattershot phishing and opportunistic data theft; they are executing coordinated, infrastructure-level compromises against Communication Service Providers (CSPs).
For security professionals responsible for network integrity and subscriber data, the report serves as a critical blueprint for the coming years, mandating a rapid pivot in defensive architecture and strategic planning.
The report's findings make it clear that the nature of the threat has fundamentally changed. Nokia notes that in 2024-2025, "Threat actors have broadened their horizons and raised their attack sophistication, making telecoms a key target." This is not just a marginal increase in noise; it reflects a targeted, high-value strategy by sophisticated adversaries.
The evidence points away from isolated incidents and toward organized campaigns: "The patterns indicate coordinated infrastructure compromise rather than isolated opportunistic attacks." This means defenders must assume the adversary is capable of lateral movement, network mapping, and long-term persistence.
The most concerning tactical finding is the shift in targets away from the user edge and into the highly-privileged core network components. The report highlights that campaigns have "systematically targeted lawful interception systems, mobile core signaling, orchestration layers, and subscriber databases."
Compromising these areas allows attackers to achieve devastating outcomes that go far beyond simple financial fraud:
-
Subscriber data: Exposing sensitive personal and identifying information from subscriber databases (HLR, UDM).
-
Session control: Manipulating call routing and connectivity by attacking mobile core signaling and session-control elements.
-
Supply chain integrity: Undermining trust through compromise of orchestration layers and third-party systems.
The CISO of a leading North American CSP reinforced this shift, referring to a specific incident: "Salt Typhoon was definitely a change of strategy. It was a big investment, impacted a lot of people, and it took six to nine months." This quote perfectly encapsulates the new reality: attacks are now high-investment, long-duration campaigns aimed at maximum operational disruption and espionage.
Operational threats and emerging technology risks
Beyond the core network, the report outlines critical operational and technological threats that demand immediate attention.
-
Zero-day vulnerability management: As sophistication rises, the pressure to detect and patch zero-day vulnerabilities quickly increases. Effective security programs must incorporate threat intelligence that anticipates exploitation before patches are available.
-
DDoS landscape: Distributed Denial of Service (DDoS) remains a persistent operational threat. While often perceived as tactical, large-scale DDoS attacks are increasingly used as a cover for more subtle, parallel intrusion efforts targeting the core components mentioned above.
-
Quantum computing threats: The report's inclusion of "quantum computing threats" signals a vital long-term mandate for security architects. While not an immediate threat, security professionals must begin incorporating post-quantum cryptography roadmaps into new infrastructure deployments today to future-proof communication security protocols. This requires aligning with the "key strategic directions of CSPs" that the report discusses, ensuring security architecture supports the business's migration path toward next-generation networks.
The security mandate
The Nokia Threat Intelligence Report 2025 is a clear call to action. Security teams must pivot their focus from perimeter defense to security resilience within the core. This requires leveraging advanced threat intelligence, adopting cloud-native security controls for virtualized orchestration layers, and establishing strong, automated security protocols around subscriber and signaling data repositories.
The insights drawn from the report—gathered from Nokia's NetGuard, Deepfield, and Bell Labs—provide the intelligence. Now, the security community must use it to shift to a proactive, infrastructure-centric defense model.
Telecommunications companies, like many industries, are under increasing pressure from hackers and legislation. A recent court decision by the United States Sixth Circuit has upheld the Federal Communications Commission's (FCC) rules on data breach reporting, marking a significant development for the cybersecurity landscape.
In September, the U.S. Secret Service dismantled what it describes as an "imminent telecommunications threat" in the New York tristate area, seizing hundreds of servers and more than 100,000 SIM cards capable of crippling cell networks, overwhelming emergency services, and enabling anonymous communications.
