The Cellcom Cyberattack: What We Can Learn from Wisconsin's Week-Long Outage

When I first heard about Cellcom's service outage on May 14, 2025, I thought it was just another routine technical glitch. But as the days stretched on and thousands of customers in Wisconsin and Upper Michigan remained unable to make calls or send texts, it became clear this was something much more serious. What we eventually learned was that this wasn't just a system failure, it was a sophisticated cyberattack that would leave an entire telecommunications network crippled for nearly a week.

What Actually Happened?

On May 20th, Cellcom CEO Brighid Riordan finally confirmed what many had suspected: their network had been hit by a cyberattack. The timing tells us a lot about how these incidents unfold. The attack began at 9 p.m. CDT on May 14th, initially disguised as what appeared to be routine technical difficulties. It wasn't until six days later that the company felt confident enough to publicly acknowledge the true nature of the incident.

The attackers were surgical in their approach, targeting specific components of Cellcom's Public Switched Telephone Network (PSTN). They went after the Session Initiation Protocol (SIP) systems that manage call routing and the SS7 SMS gateways that enable text messaging between different carriers. What's particularly interesting is what they didn't touch—mobile data, iMessage, RCS messaging, and crucially, 911 services all remained operational throughout the ordeal.

This selective targeting suggests we're dealing with attackers who understood exactly how telecommunications infrastructure works. They knew that by isolating voice and SMS systems, they could cause maximum disruption to daily communications while leaving just enough functionality intact to avoid completely cutting off emergency services.

The Human Cost

Behind every cybersecurity incident are real people dealing with real problems. Cellcom customers found themselves suddenly cut off from the outside world in ways they hadn't experienced since the early days of mobile phones. Local businesses like D & D 24 Hour Towing and Complete Auto Repair had to scramble to maintain operations, with many resorting to switching carriers entirely just to keep their phones working.

The frustration was palpable, especially when customers tried to port their numbers to other carriers like Verizon and found themselves stuck in administrative limbo. When your business depends on customer calls and you can't even transfer your number to a working service, every hour of downtime translates directly to lost revenue.

Technical Deep Dive: Why This Attack Worked

From a technical perspective, this attack exposed some uncomfortable truths about our telecommunications infrastructure. The systems that were targeted—SS7 and SIP protocols—are essentially legacy technologies that were designed in an era when cybersecurity was an afterthought. These protocols lack the robust encryption standards we take for granted in modern applications.

SS7, in particular, has been a known vulnerability for years. It's the protocol that allows different carriers to communicate with each other, enabling your Verizon phone to call someone on AT&T. But it was designed in the 1970s, long before anyone imagined the sophisticated threat landscape we face today.

The attackers' strategy was clever: by targeting the interconnection points between Cellcom and other carriers, they could paralyze external communications while leaving internal network functions partially intact. This is why, by May 19th, Cellcom customers could start making calls and sending texts to other Cellcom users, but still couldn't reach customers on other networks.

Cellcom's Response: Lessons in Crisis Management

I have to give credit to CEO Brighid Riordan for her handling of the crisis communication. Instead of hiding behind corporate speak, she released video updates directly addressing customer frustrations and providing regular status updates. In an age where trust in institutions is at an all-time low, this kind of transparent communication matters.

The company also made some smart technical decisions. They activated pre-established cybersecurity protocols, brought in external experts, and most importantly, they didn't rush the recovery. It would have been tempting to bring systems back online quickly to appease angry customers, but they prioritized security over speed—a decision that likely prevented further compromise.

Their collaboration with federal authorities, including the FBI, also demonstrates the seriousness with which they treated the incident. This wasn't just about fixing their network; it was about understanding the threat and preventing similar attacks across the industry.

What This Means for the Industry

The Cellcom attack isn't happening in isolation. We're seeing an unprecedented wave of cyberattacks targeting critical infrastructure across multiple sectors: healthcare, energy, logistics, and now telecommunications. This represents a fundamental shift in how we need to think about cybersecurity.

For telecommunications companies, the message is clear: legacy systems need to be modernized or replaced entirely. Moving to encrypted alternatives like SIP over TLS isn't just a nice to have anymore, it's becoming a business necessity. The cost of upgrading these systems may seem prohibitive, but as Cellcom learned, the cost of not upgrading can be far worse.

We also need better redundancy planning. The fact that customers couldn't easily port their numbers to other carriers during the outage highlights a systemic weakness in how our telecommunications infrastructure handles crisis scenarios.

The Bigger Picture: What's Coming Next

Looking ahead, I'm particularly concerned about the potential for AI-driven attacks on telecommunications infrastructure. The precision with which the Cellcom attackers targeted specific protocols suggests a level of technical sophistication that could easily be automated and scaled. If attackers can use AI to identify and exploit vulnerabilities in real-time, we need AI-enhanced defense systems to keep pace.

There's also likely to be regulatory fallout from this incident. We may see new legislation mandating stricter cybersecurity standards for telecommunications providers, similar to what we've seen in other critical infrastructure sectors.

Staying Safe in the Aftermath

For individuals and businesses, the Cellcom incident serves as a reminder that we need backup communication plans. Don't rely solely on one carrier or one type of communication. Having multiple options, whether that's a secondary carrier, internet based calling services, or even good old fashioned landlines for critical business functions, can mean the difference between staying operational and losing business during an outage.

Be particularly wary of scams in the aftermath of incidents like this. Attackers often follow up infrastructure attacks with phishing campaigns that exploit the confusion and urgency people feel during service disruptions.

Final Thoughts

The Cellcom cyberattack is more than just another entry in the growing list of cybersecurity incidents, it's a preview of the challenges facing our increasingly connected world. As our dependence on digital infrastructure grows, so does our vulnerability to those who would exploit it.

What gives me hope is seeing how quickly the cybersecurity community rallied around this incident, sharing information and best practices to help prevent similar attacks. The transparency shown by Cellcom's leadership, while painful in the moment, ultimately serves the greater good by helping the entire industry learn from their experience.

The question isn't whether we'll see more attacks like this, we will. The question is whether we'll use incidents like Cellcom as wake-up calls to build more resilient, secure communications infrastructure before the next attack hits even closer to home.

Sources

1. Civic Media

2. NBC26

3. Cellcom Service Page

4. FOX11 Online

5. YouTube (WBAY TV-2)

6. GBHackers

7. SignalBooster

8. PCMag

9. Security Affairs

10. CybersecurityNews

11. Cellcom Service Updates

12. FOX11 Online (Follow-Up)

13. YouTube (Security Daily Review)

14. The Record

15. SecurityWeek

16. The Cyber Express

17. BleepingComputer