State-Sponsored Cyberattacks: T-Mobile, Singtel Breaches & AI/ML in Telecom Security

With the advent of 5G technology, the stakes have only risen, offering both opportunities and vulnerabilities.

Telecommunications are a vital part of modern society. Beyond their role in communication, they enable the global economy, facilitate the delivery of critical services like healthcare and education, and ensure national security. With the advent of 5G technology, the stakes have only risen, offering both opportunities and vulnerabilities. State-sponsored cyberattacks, such as those carried out by nation-state-backed groups like China’s Salt Typhoon, not only target telecom providers but also threaten the stability of entire nations. These advanced cyber-espionage campaigns raise significant concerns, highlighting the growing role of artificial intelligence (AI) and machine learning (ML) in such attacks.

T-Mobile and Singtel Breaches

The breaches at T-Mobile and Singtel highlight the evolving sophistication of state-sponsored cyberattacks. Both telecom providers were infiltrated by the Salt Typhoon group, a hacking collective believed to be backed by the Chinese government. This campaign demonstrates a shift in the nature of cyber warfare, from financial theft to targeted espionage and long-term infiltration of telecom networks.

T-Mobile Incident (2024)

In November 2024, T-Mobile became one of several U.S. telecom providers compromised by the Salt Typhoon group. Hackers exploited vulnerabilities in Cisco routers, commonly used across telecom systems worldwide, to gain access to sensitive data such as call logs, text messages, and communication metadata. The breach is particularly concerning because the attackers targeted high-value individuals such as government officials and national security personnel. With this data, they could monitor communication patterns, identify strategic priorities, and possibly influence political decisions or destabilize national security.

This attack illustrates the growing strategic value of telecom networks as key targets for state-sponsored actors. Hackers were not simply stealing personal data—they were conducting cyber-espionage at a scale never seen before.

Singtel Attack (2024)

Singtel, Singapore’s largest telecom provider, also fell victim to Salt Typhoon’s campaign. Detected in June 2024, this breach targeted the core back-end routers, exploiting weaknesses to gain long-term access to critical infrastructure. The attackers deployed malware that was designed not to exfiltrate data immediately but rather to silently monitor and siphon information over an extended period. This approach is indicative of a larger, more calculated strategy: espionage rather than theft, indicating that the attackers were interested in obtaining long-term access to telecom data, including government and corporate communications.

Singtel’s breach underscores a significant challenge for global telecom infrastructure—attacks of this nature can affect not only the country of origin but also international partners, amplifying the global consequences of a single breach. Both T-Mobile and Singtel were targeted as part of a broader, international campaign, emphasizing the global interconnectedness of telecom infrastructure.

How AI and ML Are Amplifying the Threat

What makes these attacks particularly concerning is the growing role of AI and ML in enhancing cyber-espionage capabilities. These technologies allow attackers to automate and improve their methods, making it harder to detect and stop breaches. Here’s how AI and ML are playing a critical role in these attacks:

  1. Automated Vulnerability Detection: AI-driven tools can scan telecom systems for vulnerabilities much faster than humans, significantly speeding up the process of finding and exploiting weaknesses. Machine learning systems can adapt in real-time, learning from each vulnerability and making it easier for attackers to exploit even the most complex systems before security teams can patch them. This rapid, automated detection is one of the key reasons why traditional security methods often fall short in defending against advanced persistent threats (APTs).
  2. Advanced Evasion Tactics: AI is also used to mimic legitimate network traffic, making malicious activity appear normal. This helps attackers evade traditional security systems that are not designed to spot subtle deviations in normal traffic patterns. As attackers refine their methods, it becomes harder for even the most sophisticated firewalls and intrusion detection systems to differentiate between legitimate and malicious traffic, leaving networks vulnerable to compromise.
  3. Optimized Data Extraction: Using ML algorithms, hackers can sift through vast amounts of data quickly and efficiently, pinpointing high-value targets for exfiltration. This rapid, intelligent data extraction minimizes the chances of detection, as attackers can extract sensitive information, such as communication logs or government intelligence, without triggering alerts. The use of ML enhances attackers’ ability to prioritize and streamline the theft of critical data, making it easier for them to gather intelligence while staying undetected.
  4. Adapting Attack Strategies: AI and ML allow attackers to adjust their strategies based on how security systems respond to their activities. If a defence mechanism blocks one approach, machine learning models can analyse the response and tweak the attack to bypass defences in future attempts. This persistent, adaptive behaviour makes these cyber-attacks not only harder to stop but also more resilient over time, increasing the stakes for cybersecurity.

Why Should the Global South Be Concerned?

While high-profile breaches like those of T-Mobile and Singtel may seem remote to countries in the Global South, the reality is that telecom networks in these regions are just as vulnerable—if not more so. Emerging economies in Asia, Africa, and Latin America are rapidly expanding their digital infrastructure, often without the robust security measures necessary to defend against sophisticated cyberattacks.

  • Technological Gaps in the Global South: In many countries of the Global South, the digital infrastructure is still in the process of being built. While telecom providers in developed nations are increasingly adopting advanced cybersecurity practices, many countries in the Global South face barriers such as a lack of skilled cybersecurity professionals, outdated systems, and limited resources for investing in cutting-edge technologies like AI/ML for cybersecurity. This technological gap makes them prime targets for cyber-espionage and ransomware attacks.
  • Global Interconnectedness and Ripple Effects: The interconnected nature of global telecom networks means that a breach in one country can have ripple effects across borders. For example, an attack on a telecom provider in one country could spread to neighbouring countries with shared network infrastructure, affecting entire regions. The WannaCry ransomware attack of 2017, which spread globally and affected critical infrastructure in the Global South, serves as a reminder of how interconnected and vulnerable telecom networks are to cyber threats.
  • Economic and Development Risks: Telecom infrastructure is critical for the economic development of emerging nations. Attacks on telecom networks can have a crippling effect on local economies by disrupting communication, e-commerce, and essential services. Moreover, these disruptions could reverse the progress made in digital inclusion and hinder the development of key industries such as education, healthcare, and government services.

What Can Be Done to Protect Telecom Infrastructure?

As cyberattacks grow more sophisticated, especially with state-backed actors using AI and ML, telecom providers in the Global South must take focused, actionable steps to safeguard their networks. Here are some more specific measures that can help defend against these threats:

  1. Implement AI-Driven Threat Detection: Traditional security tools often fall short when facing AI-powered attacks. AI-powered network monitoring systems that continuously analyse traffic patterns for anomalies can quickly identify and flag unusual activity. For example, machine learning models can be trained to detect patterns of movement that suggest lateral attacks (when hackers move across a network once they’ve gained access). This allows for immediate identification of even the most subtle attacks.
  2. Specific Action: Implement AI tools that monitor real-time network traffic, specifically looking for subtle deviations in data flow that indicate hackers are exploiting vulnerabilities. 
  3. Example: Use AI-driven Intrusion Detection Systems (IDS) to automatically spot abnormal traffic patterns, especially around high-value targets.
  4. Enforce Zero Trust Security with Micro-Segmentation: The Zero Trust model ensures that every user and device is verified before being allowed to access any part of the network. But to make this effective, telecom networks need to be micro-segmented—break the network into smaller, isolated sections. This limits the potential damage if one part of the system is compromised.
  5. Specific Action: Divide your network into segments based on the sensitivity of the data they handle. For instance, core infrastructure systems should be separate from general user data systems. 
  6. Example: Use Network Access Control (NAC) systems to enforce strict access policies and ensure only authorized personnel or devices can access sensitive segments.
  7. Rapid Patch Management and Automated Updates: One of the primary ways hackers breach networks are by exploiting known vulnerabilities. Telecom providers need a rapid patch management process, especially for critical components like routers, switches, and firewalls. With AI-driven tools, patching can be automated and prioritized based on the risk level of the vulnerability.
  8. Specific Action: Use AI-powered tools to scan for and automatically apply patches to high-risk systems that hackers often target. 
  9. Example: Implement Automated Vulnerability Management (AVM) platforms that prioritize patching of systems with known vulnerabilities and enforce immediate updates when threats are identified.
  10. End-to-End Encryption with Advanced Key Management: Encryption is essential for protecting sensitive data in transit and at rest. Even if attackers manage to infiltrate the network, encrypted data is difficult to read. However, encryption alone isn’t enough—advanced key management solutions are needed to ensure that encryption keys are securely stored and rotated regularly.
  11. Specific Action: Implement end-to-end encryption across the entire telecom network and use advanced key management solutions to rotate encryption keys frequently. 
  12. Example: Adopt Public Key Infrastructure (PKI) systems that support secure key management and ensure encryption keys are not exposed to unauthorized access.
  13. Behavioural Analytics and Insider Threat Detection: Many attacks don’t come from outside but from insiders—employees or contractors with legitimate access. User and Entity Behaviour Analytics (UEBA) powered by AI can detect abnormal user behaviours, such as unusual logins, data access patterns, or attempts to access restricted systems.
  14. Specific Action: Deploy UEBA tools that learn what normal employee behaviour looks like and can immediately flag suspicious actions like large data downloads or unauthorized access attempts. 
  15. Example: Use AI-powered UEBA systems to detect unusual login attempts or data access by employees who don’t typically interact with sensitive data.
  16. Cross-Border Collaboration and Threat Intelligence Sharing: Telecom providers in the Global South must work together—across borders—to share threat intelligence and best practices. Establishing regional cybersecurity alliances can help smaller countries pool resources and develop collective defence strategies against state-sponsored threats.
  17. Specific Action: Join regional cybersecurity forums or create partnerships with other telecom providers in the region to share insights on emerging threats and coordinate responses to cyberattacks. 
  18. Example: Participate in or create a Cybersecurity Information Sharing and Analysis Center (ISAC) within the region to exchange real-time threat intelligence and collaborate on defence strategies.
  19. Regular Red Team Exercises and Simulated Attacks: Regular Red Team exercises, where ethical hackers simulate real-world attacks, can help identify vulnerabilities in a telecom network. By using AI-based simulations of advanced persistent threats (APTs), telecom providers can improve their response strategies.

Conclusion

The rising threat of state-sponsored cyberattacks targeting telecom networks is a global issue that requires urgent action. As AI and ML technologies continue to evolve, both attackers and defenders must adapt their strategies to stay ahead. For telecom providers in the Global South, the risks are particularly acute, as they are rapidly expanding their digital infrastructure without the resources to fully defend against sophisticated attacks. By implementing AI-driven detection systems, embracing Zero Trust security models, and fostering cross-border collaboration, the Global South can begin to strengthen its defences against these advanced cyber threats. The time to act is now—securing telecom infrastructure is not just about protecting data but ensuring the future of national security and economic stability in an interconnected world.

Raditio Ghifiardi
Raditio Ghifiardi
Raditio ghifiardi is an acclaimed IT and cybersecurity professional, future transformative leader in AI/ML strategy. Expert in IT security, speaker at global and international conferences, and driver of innovation and compliance in the telecom and banking sectors. Renowned for advancing industry standards and implementing cutting-edge security solutions and frameworks.