Invisible occupation of telecom networks by APT actors

A new phase of cyber conflict is emerging— one that does not involve loud attacks or immediate destruction, but quiet infiltration and long-term presence. Across continents, telecom operators are being targeted by advanced persistent threat (APT) groups aligned with state interests. These are not random hacks driven by financial motives, but part of broader strategic efforts to silently embed within critical communications infrastructure, especially in telecommunications.

Rather than deploying easily detectable malware, many of these operations employ techniques that utilise legitimate system tools and processes to maintain control without raising suspicion. This approach, often referred to as “Living off the Land” (LOTL), enables attackers to blend in with normal operations, evade detection, and remain undetected within systems for years. In some cases, there is no obvious breach indicator—no unfamiliar files, no malicious processes—just an adversary who has become part of the system.

In a post-malware era, attackers no longer need to plant code—they utilise what is already in the system, thereby becoming indistinguishable from legitimate users.

BPFDOOR AND THE CASE OF SK TELECOM

One recent case that has drawn attention is the intrusion at South Korea's largest mobile network operator, SK Telecom (SKT). According to official investigations, SKT was compromised by a Linux-targeting malware known as BPFDoor, believed to be linked to China-aligned threat actors. The malware is notable not only for its technical design but for its apparent ability to remain hidden for extended periods, possibly infiltrating SKT’s systems as early as 2021. While SKT itself is not the centre of global concern, the case is a concrete example of how APT actors operate: not to make headlines, but to establish quiet, persistent access.