Telecom networks have become high-value targets in today’s threat landscape, drawing interest from nation-state actors, cybercriminals, and proxy groups alike. The surge in attacks throughout 2024 exposed critical gaps across mobile infrastructure, putting national security and public safety on the line. With 2025 expected to bring more advanced, coordinated campaigns, telecom operators face mounting pressure to move beyond perimeter defenses. Ericsson is stepping in with a security-first approach tailored to operationalize U.S. Cybersecurity and Infrastructure Security Agency (CISA) directives, equipping providers to fortify their networks, meet regulatory demands, and counter threats with real-world resilience.
“Ericsson Security Solutions team focuses on the adversary’s tactics, which are tactical goals in the cyber kill chain of the threat actors to reach their objectives. These tactics grow more complex as threats continuously evolve,” Harri Pietilä T, strategic product manager at Ericsson, and Scott Poretsky, Ericsson Americas, Director for Security, wrote in a Monday blog post. “IT cybersecurity tools have capabilities to detect malware based on signature and behavioral similarities to other attacks in IT systems, but evolving APTs have moved beyond those approaches. For some time, attackers have moved to using system binaries, so-called living-off-the-land strategies.”
They added that now the attacks are increasingly using a combination of unpatched vulnerabilities, valid credentials, identities, and system APIs. To defend against these threats in mobile networks, one needs an in-depth understanding of the target mobile assets.
Pietilä and Poretsky recognized that malicious cyber activity is a real and menacing threat. “Nation states sponsor APTs to develop and deploy sophisticated attack chains to reach their goals of reconnaissance, espionage, data exfiltration, unauthorized control, and/or disruption. Details of the attack can change as the adversary moves laterally with changing attack methods on changing targets in the network.”
They added that in 2024, networks faced substantial challenges due to APTs that specifically targeted telecom networks. Looking ahead, 2025 presents renewed risks as global crises could trigger new cyberattacks on critical infrastructure.
Two key approaches for defending against advanced persistent threats (APTs) are to implement industry best practices for hardening and continuous monitoring for visibility. These are accomplished in the Operations phase with an Ericsson cyber defense platform – the Ericsson Security Manager (ESM). The ESM tool helps mobile service providers operationalize security management as well as implement CISA guidance for hardening and securing against APTs.
ESM combines multiple data sources to provide visibility that enables a cyber defense solution across the identify, protect, detect, and respond functions. This approach integrates telecom threat intelligence, delivering insights into adversary objectives and tactics. It includes analysis of both known and potential attack paths by mapping tactics, techniques and procedures (TTPs) that could be used to reach those objectives. Underpinning this capability is Ericsson’s in-depth expertise in mobile network solutions, with a specific focus on identifying and protecting the key data that threat actors are most likely to target.
Typically, APTs have attacked telecom systems that contain or have access to subscriber data such as call data records, IMSIs, and authentication vectors. ESM has a range of capabilities to protect and secure this data.
Ericsson has identified that a set of focused protective capabilities can significantly reduce the risk of exploitation by APTs. These capabilities provide a holistic defense for mobile network operators by leveraging telecom-specific threat intelligence and concentrating on the known objectives of threat actors, such as cyber espionage.
A key component of this approach is maintaining a security-focused asset inventory that has full visibility into all systems within the mobile network, including specialized interfaces and log sources. Interfaces are protected using Ericsson’s domain knowledge of the secure configurations required to prevent or limit attacker success.
Traffic encryption is safeguarded by managing associated configurations and automating certificate management to ensure consistent protection. Security and audit trail logs are comprehensively collected from across the network, and automated threat detection and correlation methods are applied to generate actionable insights tuned to system architecture and specific adversary goals.
The approach also includes sensor-based threat detection deployed in a layered, defense-in-depth strategy. Crucially, it enables the detection of specialized tactics, techniques, and procedures used by attackers to access sensitive systems and data. This includes identifying threats like ‘bpfdoor’ malware and other stealthy, living-off-the-land techniques commonly used in targeted intrusions.
“Threat actors from cyber criminals to nation-state sponsored APTs are targeting mobile networks worldwide. With ESM, Ericsson offers the critical capabilities required to defend against these threat actors,” according to Pietilä and Poretsky. “Ericsson cyber defense solutions offer tools to operationalize security management in order to effectively mitigate APTs in mobile networks.”
They added that managing security configurations together with early detection of APTs prevents tactics such as initial access and lateral movement and gives the security team time to respond before data can be exfiltrated to attacker-controlled infrastructure. “With secure product and cyber defense solutions, Ericsson enables secure and resilient mobile networks based on the defendable architectures concept with security built in.”
This week, new Cyble data revealed that hacktivists are escalating their campaigns against critical infrastructure, moving beyond basic DDoS (distributed denial of service) and defacement tactics to more advanced intrusions and data breaches. In the second quarter of this year, ICS (industrial control system) attacks, data leaks, and access-based intrusions made up 31 percent of hacktivist activity, marking a rise of 29 percent in the first quarter. Notably, Russia-linked groups lead hacktivist ICS attacks.
Maria Cantwell, a Democratic Senator from Washington, demanded answers last month from AT&T and Verizon following the Chinese-linked ‘Salt Typhoon’ cyber operation. She is calling for a full account of the breach and its impact on their networks. Although Salt Typhoon infiltrated major U.S. telecom infrastructure, including systems at AT&T and Verizon in December 2024, both companies asserted that their networks remained secure.
