Salt Typhoon, the Chinese state-backed hacking group that U.S. officials have called an “epoch-defining threat,” has now breached organizations in Norway. The revelation makes Norway the latest in a growing list of countries confirming attacks by the sophisticated cyberespionage operation that has compromised over 200 companies worldwide, including major telecommunications providers.
Key Takeaways
- The Norwegian Police Security Service (PST) confirmed Salt Typhoon breached several Norwegian organizations by targeting vulnerable network devices.
- Salt Typhoon has hacked into telecom providers across at least 9 countries, including the US, Canada, and now Norway, according to CISA advisories.
- The group allegedly intercepted communications of senior U.S. politicians during the 2024 election cycle.
- Security experts recommend immediate patching of network edge devices like routers, firewalls, and VPN appliances.
What Makes Salt Typhoon Different from Other Hacking Groups?
Salt Typhoon, also tracked as Earth Estries and GhostEmperor by security firms, operates differently from typical cybercriminal groups. Rather than seeking financial gain, the group focuses on advanced persistent threats (APTs) designed to maintain long-term access to critical infrastructure for intelligence gathering. According to the Norwegian PST’s National Threat Assessment 2026, the group specifically targets edge network devices—routers, firewalls, and VPN appliances—that often run outdated firmware.
“Salt Typhoon represents a fundamental shift in nation-state cyber capabilities,” said Mandiant chief analyst John Hultquist in a recent briefing. “They’re not just stealing data; they’re positioning themselves inside networks for potential future operations.” This approach makes detection particularly difficult, as the group can remain dormant for months before activating.
How Extensive Is the Damage Across Global Networks?
The scope of Salt Typhoon’s operations is staggering. According to FBI statements, the group has compromised at least 200 U.S. companies. Major telecom providers including Verizon, AT&T, and T-Mobile have confirmed breaches. In Canada, multiple telecom providers were similarly compromised.
The Norwegian disclosure adds another NATO member to the list of affected countries, raising concerns about the alliance’s collective cybersecurity posture. “We’re seeing a pattern of targeting NATO infrastructure,” noted Bruce Schneier, security technologist and author. “This isn’t random—it’s strategic intelligence preparation of the battlespace.” The pressure has prompted U.S. lawmakers to propose new legislation requiring telecom companies to meet stricter security standards.
What Should Organizations Do to Protect Themselves?
Cybersecurity agencies worldwide have issued urgent guidance for organizations to audit their network edge devices. CISA recommends immediately patching known vulnerabilities in products from Cisco, Fortinet, and Palo Alto Networks—all of which have been exploited by Salt Typhoon. Organizations should also enable enhanced logging on network devices and segment networks to limit lateral movement if a breach occurs.
The Chinese government has denied any involvement in Salt Typhoon operations, calling the accusations “politically motivated.” However, security researchers point to clear ties between the group’s operations and Chinese intelligence priorities, including targeting of Uyghur dissidents and Taiwan-related entities.
Organizations/Threats Mentioned
- Salt Typhoon / GhostEmperor – Chinese state-backed APT group, active since at least 2020, known for targeting telecom infrastructure and critical systems across 9+ countries.
- Norwegian Police Security Service (PST) – Norway’s domestic intelligence agency, responsible for national security threats including cyberespionage.
- CISA – U.S. Cybersecurity and Infrastructure Security Agency, leading coordination of Salt Typhoon response across government and private sector.
- FBI Cyber Division – Confirmed 200+ U.S. companies breached by Salt Typhoon operations.
What This Means
- For IT security teams: Immediately audit all network edge devices (routers, firewalls, VPN appliances) for unpatched vulnerabilities. Salt Typhoon specifically targets CVE-2023-46747 in F5 devices and CVE-2024-21887 in Ivanti Connect Secure.
- For telecom providers: Expect increased regulatory scrutiny. The FCC is considering mandatory security audits for carriers following the breach disclosures.
- For enterprises using affected telcos: Assume communications may have been intercepted. Consider implementing end-to-end encryption for sensitive discussions and reviewing supply chain security.
- For government agencies: The targeting of NATO member infrastructure suggests coordinated intelligence preparation. Interagency threat sharing should be prioritized.
Source: techcrunch.com
Disclosure: Trending Society provides tech analysis for informational purposes. Not financial or investment advice.
