Nokia warns of stealth intrusions, record DDoS attacks, and cryptographic pressure on critical networks: defense relies on AI, telemetry, and “crypto-agility”

The most sensitive networks — from telecommunications to emergency services — are facing a phase shift in cyber threats. A new study by Nokia sets the bar higher: almost 2 out of 3 operators have experienced at least one “living off the land” attack — intrusions that abuse legitimate system tools to camouflage — and 32% admit four or more incidents of this kind in the past 12 months. Meanwhile, terabit-scale DDoS attacks occur five times more than before, with higher peaks, driven by millions of insecure IoT devices and botnets hiding behind residential proxies. To make matters worse, 37% of DDoS attacks end in less than two minutes, requiring automated detection and response.

The report, released from Espoo (Finland), depicts a landscape where 4% of the world’s home connections are compromised, serving — knowingly or unknowingly — as attack platforms. In response to this rising volume and sophistication, more than 70% of telecom security managers already prioritize threat analytics based on AI/ML, and more than half plan AI deployments for detection within the next 18 months.

Kal De, Senior Vice President of Product & Engineering at Cloud and Network Services (Nokia):
“Connectivity fuels everything from public safety and financial transactions to digital identity. We’ve seen attacks reaching legal interception systems, exposing sensitive subscriber data, and disrupting emergency services. The industry must counter with shared threat intelligence, AI/ML-driven detection and response, and crypto-agility, turning interconnection from a vulnerability into resilience.”

“Silent” intrusions and flash DDoS: why the reaction window is shrinking

Living off the land (LotL) attacks are characterized by avoiding visible malware and leveraging system tools and binaries — PowerShell, WMI, network utilities — to move laterally, extract data, or prepare sabotage. For blue teams, detecting anomalies amid legitimate activity raises the forensic bar and demands high-granularity telemetry, behavior models, and real-time correlation.

On the DDoS front, the elasticity of cloud platforms and widespread access to cheap traffic via residential proxies enable attacks with peaks over 10 Tbps and short durations (“burst and flee”) aiming to saturate links or edge infrastructure before traditional mechanisms — scrubbing centers, blacklists, rate-limits — can respond effectively.

Jeff Smith, Vice President and General Manager of Nokia Deepfield:
“With industrialized attack tools, millions of insecure IoT endpoints, and botnets leveraging residential proxies, operators must act now to protect assets and customers from massive, complex, and highly variable DDoS attacks over 10+ terabits. Security can’t be an afterthought: DDoS protection must be embedded within the network to ensure continuity of critical functions.”

Cryptography under pressure: moving toward “crypto-agility”

The study also highlights the rise in cryptographic demands — more encrypted traffic, increased use of TLS 1.3, perfect forward secrecy, and preparations for a post-quantum future. The crypto-agility Nokia advocates entails the ability to rotate algorithms, keys, and suites swiftly when vulnerabilities emerge or regulatory requirements change — without taking services offline or manually reconfiguring each node. In operator networks, this challenge is tangible: legacy devices, multiple administrative domains, and critical 24/7 services constrain maintenance windows and increase dependencies.

AI, but with data: from buzzword to detection engineering

That more than 70% of security leaders in telco prioritize AI/ML reflects a consensus: as volume, speed, and variety of events grow, manual inspection and static rules don’t scale. Transitioning from prototype to value, however, requires:

• Labeled, updated datasets (shared threat intelligence among operators and vendors).
• Explainable and auditable models, especially in regulated environments and critical infrastructure.
• Integration with automation (closed-loop) to orchestrate mitigation within seconds — e.g., selective blackholing, diversion to scrubbing, route coefficient adjustments, BGP FlowSpec filters activation.
• Unified observability (deep flow telemetry, DPI sampling, QoS metrics) to distinguish noise from actual impact on critical services (emergencies, banking, digital identity).

The fact that 37% of DDoS attacks complete in less than two minutes is the most compelling operational indicator: defenses must be proactive and pre-positioned. In other words, the time to think has already passed; detection, decision, and action must happen in seconds.

Domestic IoT and “zombie” connections: the 4% feeding botnets

That about 4% of fixed home connections are compromised suggests a persistent breeding ground: routers with outdated firmware, cameras, and smart appliances with default passwords, along with a supply chain still failing to enforce secure default configurations. For operators, this vector calls for:

• Cleanup campaigns (notifying and temporarily isolating infected customers).
• Rate limiting policies and filters at residential edges based on attack patterns.
• Over-the-air updates and hardening of managed CPE devices.
• Labels and regulations urging manufacturers to adopt minimum cybersecurity standards for IoT devices.

From interconnection as risk to interconnection as resilience

The core message from Nokia — as expressed by Kal De — is to turn interconnection into defensive muscle: real-time threat exchange, AI-driven detection with multi-operator telemetry models, and flexible cryptographic capabilities. This path isn’t trivial: it requires standards, trust among competing entities, and governance mechanisms for sharing indicators without compromising privacy or competition. Yet, in terms of attack surface, it’s the only scalable option.

What operators and providers should do today

1. Redesign “in-network” DDoS mitigation: distributed scrubbing, FlowSpec, surgical blackholing, automated orchestration, and rehearsed playbooks.
2. Rich telemetry + live models: deep flow logs, BGP signaling, sFlow/NetFlow/IPFIX; models re-trained with IOCs and shared ground truth.
3. Operational crypto-agility: inventory of algorithms, rotation plans, suite change rehearsals, and readiness for post-quantum.
4. IoT hygiene: default segmentation, weak password blocking, forced CPE updates, customer notification campaigns.
5. Two-minute drills: game-days focused on flash attacks; detection-mitigation goals within sub-60 seconds.

Highlighted quotes

• Kal De (Nokia): “The industry must fight with shared intelligence, AI-driven detection and response, and crypto-agility, transforming interconnection from a weakness into resilience.”
• Jeff Smith (Nokia Deepfield): “Operators must act now: 10+ Tbps DDoS and botnets with residential proxies demand embedded protection within the network.”

Company context

Nokia emphasizes its B2B focus: mobile, fixed, and cloud networks; intellectual property and Nokia Bell Labs‘s research, celebrating 100 years. With open, high-performance architectures, the company highlights security, reliability, and sustainability to monetize use cases at scale.

Conclusion

Nokia’s report confirms what many cybersecurity teams perceive daily: more attacks, bigger and faster. With LotL hiding in plain sight and DDoS flooding networks with terabits in minutes, critical networks must shift from manual reaction to intelligent automation, moving security from a product to a network property. The concept of crypto-agility completes the triangle: detect, respond, and encrypt at the adversary’s pace.

Frequently Asked Questions (FAQ)

What is a “living off the land” (LotL) attack, and why is it concerning to telcos?
It’s an intrusion that exploits legitimate system tools (without obvious malware), making detection difficult and raising the forensic bar. In operators, with thousands of systems and permissions, camouflage is especially effective.

Why are 10+ Tbps DDoS attacks increasing in size but lasting so briefly?
The elasticity of cloud, residential proxies, and millions of insecure IoT devices enable massive, short burst attacks that aim to saturate infrastructure before traditional defenses — scrubbing centers, blacklists, rate-limiting — can respond.

What does “crypto-agility” mean for a critical network?
The ability to rotate algorithms, keys, and suites — even toward post-quantum options — without service interruption— enabling rapid response to vulnerabilities or regulatory changes.

How can an operator prepare for DDoS attacks that conclude in 2 minutes?
With automated detection and mitigation (closed-loop) that is pre-positioned: distributed scrubbing, FlowSpec, selective blackholing, rich telemetry, and action goals within sub-60 seconds. Running game-days focused on quick-response scenarios helps reduce actual response times.

via: nokia