Business
Rapid7 Labs Identifies State-Sponsored Sleeper Cells Embedded in Global Telecommunications Networks
Research reveals long-term espionage access inside telecommunications infrastructure with implications for government communications and critical systems
About this update from Rapid7, Inc.
[{"type":"text","content":"Research reveals long-term espionage access inside telecommunications infrastructure with implications for government communications and critical systems\nBOSTON, March 26, 2026 (GLOBE NEWSWIRE) -- Rapid7 (NASDAQ: RPD), a global leader in AI-powered managed cybersecurity operations, released findings from a months-long research investigation from Rapid7 Labs, “Sleeper Cells in the Telecom Backbone,” detailing a sustained espionage campaign conducted by a China-nexus threat actor, Red Menshen, with covert access inside global telecommunications infrastructure. The research highlights a shift from opportunistic intrusion to deliberate, long-term pre-positioning inside telecommunications networks. These “sleeper cells” are designed to remain undetected while providing persistent visibility into subscriber activity, signaling systems, and sensitive communications—enabling ongoing intelligence collection across environments that support government, commercial, and critical infrastructure operations. “If you have access to telecommunications infrastructure, you are not just inside one company, you are operating close to the communication layer of entire populations, which makes this type of access highly valuable and elevates detection to a national-level concern,” said Raj Samani, chief scientist at Rapid7. “The activity we are seeing continues to evolve in ways that improve stealth and persistence, and organizations should treat detection as the start of investigation, not the end of it.” The research also identifies critical visibility gaps into persistence at the kernel and packet-filtering layers. Without insight into these areas, service masquerading and stealth activation techniques can remain undetected for extended periods. Organizations must have preemptive detection strategies that identify unusual service masquerading and stealth activation mechanisms before they can be leveraged for high-level intelligence collection. Key findings: Persistent access in telecommunications infrastructure: Rapid7 Labs identified coordinated activity establishing long-term, dormant footholds within global telecommunications environments.Kernel-level stealth using BPFdoor: The campaign uses a Linux kernel-level backdoor that operates without opening ports or generating typical beaconing activity, limiting visibility for traditional endpoint an...