An extensive cybersecurity incident has reportedly hit international telecom solutions vendor Protei, with an unknown hacking group claiming to have compromised the company’s servers and exfiltrated around 182 GB of data, including years of internal email. The attack also involved a defacement of the official website, underscoring the growing cyber risks surrounding critical telecom equipment suppliers.
Protei cyberattack and alleged 182 GB data breach
According to multiple media reports, the attackers not only accessed Protei’s internal infrastructure but also replaced content on the company’s main webpage. The defaced site featured an obscene message and a slogan along the lines of “another DPI/SORM provider has fallen,” pointing to a targeted campaign against a vendor of traffic monitoring and filtering systems.
Screenshots preserved by the Wayback Machine indicate that as of 8 November 2025 the Protei website remained defaced. The page was later restored, but at the time of writing, no detailed technical account of the intrusion vector or timeline has been made public.
Protei’s public response to the hacking claims
Following the publications about the alleged breach, Mohammad Jalal, managing director of Protei’s Jordan office, told reporters that the company has no ties to Russia and is not aware of any data exfiltration from its servers. These statements conflict with the claims made by the hackers, a discrepancy that is relatively common in the early stages of incident response, when forensic analysis and log review are still in progress.
Who is Protei and why the hack matters for the telecom market
Protei originated in Russia and today lists its headquarters in Jordan. The company develops telecom solutions for fixed-line and mobile operators, as well as internet service providers across numerous countries, including Bahrain, Italy, Kazakhstan, Mexico, Pakistan and several Central African states.
Its portfolio includes platforms for video conferencing and broadband access, along with systems for network monitoring, web filtering and Deep Packet Inspection (DPI). Such products are often deployed to block websites, filter online content and log users’ internet activity in granular detail, sometimes in support of regulatory or law-enforcement mandates.
Research group Citizen Lab reported in 2023 that Iranian operator Ariantel consulted with Protei on implementing traffic logging and website blocking capabilities. The published materials also referenced functionality to restrict access to internet resources for specific users or even entire population segments. This background significantly increases interest in what exactly may be contained in the compromised data set.
DPI, SORM and surveillance infrastructure as cyber targets
DPI (Deep Packet Inspection) refers to a class of technologies that allow providers and government agencies to analyze not only packet headers but also the payload of network traffic. DPI enables fine-grained filtering, blocking and rerouting, as well as large-scale monitoring and profiling of communications.
The term SORM (Russian lawful interception systems) is traditionally associated with technical platforms that provide security and intelligence services with direct access to telecom traffic and subscriber information. Vendors that supply DPI/SORM surveillance and traffic control systems are therefore high‑value targets both for state customers and for activist or hacker groups that oppose censorship and mass surveillance.
The wording left on the defaced Protei website suggests that this campaign may have been ideologically motivated and aimed specifically at a provider of internet traffic control technologies.
Role of DDoSecrets and potential impact of the Protei data leak
The attackers claim that the stolen 182 GB archive has been handed over to non-profit leak repository DDoSecrets (Distributed Denial of Secrets), which positions itself as a platform for collecting and indexing data leaks in the public interest for journalists, researchers and human rights organizations.
If these claims are confirmed, the leaked data set could include internal email communications, technical documentation, commercial proposals, contracts, and deployment details for DPI and web-filtering systems used by Protei’s clients. Such information would be highly valuable not only to investigators and reporters, but also to other threat actors capable of using configuration details, IP addresses and access data to mount follow‑on attacks against telecom operators.
Telecom supply chain cyber risk and key security lessons
Telecom vendors as a critical supply chain attack surface
The Protei incident illustrates the severity of supply chain cyber risk in the telecom sector. A successful compromise of a software or equipment vendor can indirectly endanger dozens of networks across multiple jurisdictions. Global breach analyses, including the Verizon Data Breach Investigations Report, consistently show that a substantial proportion of major incidents involve a third‑party or partner organization at some stage of the intrusion.
For telecom operators, this means security efforts cannot be limited to their own infrastructure. Organizations must systematically manage third‑party and vendor risk by conducting security assessments, demanding transparency in development and update processes, and scrutinizing how partners store and process sensitive operational data.
Practical cybersecurity measures for telecom and DPI/SORM environments
From a defensive perspective, incidents of this scale highlight several priority measures for telecom providers and surveillance-technology vendors:
1. Network segmentation and access control. Monitoring, lawful interception and DPI platforms should be isolated from internet-facing services such as corporate email and public websites. Administrative accounts must follow least‑privilege principles with strong authentication and continuous access review.
2. Protection of corporate email archives. Large mail stores are attractive intelligence targets. Organizations should limit retention periods, enforce encryption in transit and at rest, use multi-factor authentication, and monitor for abnormal login and data transfer patterns.
3. Independent security audits and penetration testing. Regular external assessments, including penetration tests and secure configuration reviews of web services and management interfaces, help identify exploitable weaknesses before attackers do.
4. Incident response readiness and transparent communication. A tested incident response plan, predefined communication procedures with customers and regulators, and timely, fact‑based public updates can significantly reduce legal, operational and reputational impact when a breach occurs.
The reported Protei breach underscores how vulnerable critical nodes of the digital ecosystem can be—from DPI/SORM suppliers to telecom carriers and public-sector customers depending on their platforms. The more central an organization’s role in traffic routing, filtering or surveillance, the higher the bar for its cyber resilience. Telecom operators and technology vendors should closely monitor developments around the Protei case, reassess their own vendor risk management, and invest in strengthening cybersecurity at every layer—from network architecture and access control to data governance and staff training.
