Mobile networks have never been more connected. Phones work almost anywhere, allowing customers to switch seamlessly between countries and networks. This interconnectivity makes roaming work, keeps global commerce running and enables everything from mobile banking to international calls. But with greater interconnectivity comes greater exposure. Every connection to another network is a possible entry point for attack, and those entry points are multiplying day by day.
In the past year alone, networks have faced everything from ransomware and data leaks to large-scale DDoS campaigns that use residential proxies and rapidly shifting IPs to overwhelm over 1,000 targets simultaneously. Moreover, attackers are now using AI and automation to launch faster, more targeted assaults that blend into legitimate traffic and react on the fly to mitigation efforts. We have seen a rise in cyberattacks across the telecom sector, ranging from social engineering attacks that take entire services offline to malware hidden in roaming protocols that evades detection for weeks.
Unfortunately, mobile operators aren’t all operating at the same level of security. Some networks still rely on legacy protocols such as SS7, which were originally built on trust between operators and designed before cybercrime became a commercial enterprise. Around 3.9 billion subscribers are still connected to systems where SS7 is in play, and that’s a large enough surface for attackers to work with.
Roaming: the under-recognised vulnerability
Roaming makes it possible to stay connected while moving between countries. It depends on shared signalling protocols and long-standing agreements between operators. But those same elements also introduce blind spots. Legacy compatibility often forces networks to maintain support for older, less secure protocols even after upgrading to newer standards.
That creates opportunities for attackers who understand how to exploit these gaps. By accessing one vulnerable partner, they can pivot into more secure environments, masking their activity within traffic flows that appear legitimate. Threats like GTPDOOR – malware that hides communications within standard GTP-C signalling – are engineered to entirely bypass traditional defences.
These vulnerabilities are even more apparent in roaming environments, where signalling has to pass between multiple operators and often across borders. It creates a gap in visibility, giving attackers more opportunities to hide malicious activity within otherwise legitimate traffic.
The need for proactive threat discovery
Telecom operators have long relied on intrusion detection systems to help flag suspicious activity. These tools look for known threat patterns or unexpected behaviour in the network. They’re a key part of the toolkit, but they often catch issues after the fact, when the damage may already be done.
What’s needed is an approach that moves earlier in the timeline. Threats in inter-roaming environments don’t always show up until later stages. By the time unusual patterns are flagged, the attacker may already be embedded. Proactive threat discovery can surface early indicators that something isn’t right, even if no known signature is matched or baseline thresholds are breached.
Operators are increasingly turning to frameworks like the GSMA’s Mobile Threat Intelligence Framework (MoTIF) to better understand how attackers operate across mobile networks, from 2G to 5G. This structured approach breaks down threats such as fraud, spoofing and signalling abuse, helping security teams align detection methods and coordinate faster, more consistent responses.
At the same time, security operations centres are under growing pressure. A report we conducted recently has shown that with 360,000 incidents a year, triage can quickly become a bottleneck. In fact, without smart tools to cut through the noise, some threats slip through the cracks—or are only picked up after they’ve caused harm.
AI’s evolving role in telecom security
Threat actors are increasingly using Generative AI to mount sophisticated attacks faster and on a larger scale. Tools that once required technical expertise, like malware generation, phishing lure creation or mid-attack adaptation, are now widely accessible, increasing the frequency and sophistication of attacks on telecom networks. In response, CSPs are also exploring GenAI to reduce incident response time and improve detection by enhancing analysis across their SOCs. It’s an AI race playing out in real time, and the side with faster, more adaptive tools has the advantage.
For instance, AI has become a core part of threat detection, particularly in environments with large volumes of data and complex interactions. AI models can scan telemetry, identify subtle deviations and correlate signals across feeds that would otherwise remain siloed. This improves detection accuracy while cutting down on false positives.
It also supports automated responses. When an anomaly is detected, AI can trigger containment steps, blocking suspect traffic, isolating affected systems or launching custom mitigation workflows. This reduces the pressure on SOC teams and accelerates recovery.
The threat environment itself is evolving. Distributed denial-of-service (DDoS) attacks have surged, with traffic volumes rising 166% in the past year, and many of these now use adaptive techniques. Instead of fixed vectors, attackers shift tactics mid-attack, responding in real time to defence filters. In addition, 60% of all DDoS traffic in 2024 came from botnets, and residential proxies are also being abused at scale, giving attackers access to millions of seemingly clean IP addresses.
Groups such as Killnet and NoName016(57) have been actively exploiting these tools to launch low-volume but high-impact attacks on telecoms infrastructure, often with geopolitical motives. Their tactics rely on being one step ahead, and the only way to match that pace is with real-time intelligence and autonomous decision support.
Don’t mistake telecom security for IT security
Another issue is the misconception that general enterprise security tools are enough for telcos. But telecom networks are fundamentally different. While IT systems deal with apps, endpoints and data centres, telecom infrastructure includes signalling protocols like Diameter and GTP, multi-vendor network functions, and millions of connected devices across the core, RAN and transport layers.
A firewall or endpoint detection tool designed for IT might miss threats hidden in signalling traffic or fail to respond fast enough to preserve network availability. Purpose-built telecom defences, such as mission-critical EDR, telco-specific XDR and packet-aware intrusion prevention, are needed to maintain performance and detect attacks that target services like roaming, VoLTE or 5G slicing.
These tools must also align with telecom-specific regulations and standards, such as 3GPP and NIS2, which require incident disclosure within 24 hours. As the regulatory bar rises, the consequences for falling short are hitting organisations harder than ever. For example, under the UK Telecom Security Act, non-compliance can trigger fines of up to 10% of global turnover, or £100,000 per day.
Quantum-safe security
While many of today’s threats demand immediate attention, there’s growing awareness of risks that will shape the security landscape in the near future. One of the most significant risks is the potential impact of quantum computing on the confidentiality of network traffic and subscriber data.
Quantum computing is already influencing how telecom providers approach long-term data security. Data that’s encrypted today could be stored and decrypted later as quantum capabilities develop. In fact, there is an 11% likelihood that RSA-2048 encryption could be broken within five years, rising to over 31% within ten. This matters for infrastructure that handles sensitive or long-lived data, such as signalling, roaming and subscriber records. As a result, telecom operators are starting to adopt quantum-safe cryptography to protect against future decryption risks. Analysts estimate the post-quantum cryptography market will double by 2028 to US$530 million, reflecting a growing shift toward practical planning rather than waiting for the threat to fully emerge.
Getting ahead of this risk means reviewing how data moves across networks, particularly where interoperability, vendor diversity or legacy systems increase exposure. This includes identifying where current cryptographic protections may fall short in the years ahead. Telecom networks support not only personal and business communications, but also critical services tied to national infrastructure. That puts them in scope for attackers with long-term objectives. Preparing now gives operators more flexibility to upgrade systems gradually, rather than under pressure when quantum threats become immediate.
A mindset shift
The tools to defend against today’s threats are changing. Signature-based detection is still part of the picture, but it’s no longer enough on its own. What’s gaining ground is a mix of pattern-based analysis, automation that can act in real time, and closer coordination across networks.
Attackers are working together, and defence strategies need to match that pace. Shared threat intelligence, frameworks like MoTIF and tighter links between AI tools and operational teams are helping organisations shift from reacting after the fact to taking a more active, joined-up approach.
There is a good reason for that. Recent trends show just how varied and fast-moving these threats have become. In North America, some telecom operators have faced ransomware campaigns that may be linked to state-sponsored groups. In East Asia, several data leaks were caused by accidental exposure rather than targeted attacks. In Western Europe, there’s been a rise in both espionage and financially driven breaches. Across the board, DDoS attacks are becoming harder to manage—13% of carpet-bombing attacks in 2024 targeted 256 or more IP addresses, with nearly 3% hitting over 1,000.
New technologies are adding pressure on both sides. Generative AI is being used to develop faster, more tailored attacks, but it’s also helping defenders cut response times and prioritise incidents more effectively. Quantum computing is also part of the picture. As it moves closer to practical use, concerns around how to secure networks against future threats are growing. The market for post-quantum cryptography is expected to reach $246 million this year, driven by the need to protect sensitive data before these threats become a reality.
This is less about a tactical upgrade and more about a strategic realignment. Networks are growing more complex, threats are becoming more targeted, and regulations are demanding faster action. Building a security posture that can keep pace means embedding intelligence into every layer – proactively, collaboratively and at scale.
