Is Salt Typhoon still hacking telecoms companies in 2026?: Yes. An FBI official confirmed at CyberTalks 2026 in February 2026 that Salt Typhoon's telecoms compromise was 'still very, very much ongoing', with at least 200 companies in 80 countries affected as of August 2025.Source: FBI / CyberTalks 2026
What did Salt Typhoon actually access in US phone networks?: Salt Typhoon accessed call data records, real-time call interception capability for targeted individuals, and the CALEA lawful-intercept back-end systems at multiple US carriers including AT&T, Verizon and T-Mobile.Source: CISA / FBI joint advisory November 2024
How is Salt Typhoon different from Volt Typhoon?: Salt Typhoon targets telecommunications for SIGINT collection (intercepting calls and data). Volt Typhoon targets US critical infrastructure CNI for pre-positioning sabotage capability. Both are China-nexus but have different mission objectives.Source: CISA / NCSC
Has Salt Typhoon hacked European telecoms companies?: Yes. Norway's Police Security Service (PST) confirmed in April 2026 that Norwegian telecoms infrastructure was compromised by Salt Typhoon, the first confirmed Scandinavian victim and the latest in a growing list of non-US countries publicly acknowledged.Source: PST (Norway) / Mandiant April 2026

Background

Salt Typhoon is a China-linked threat actor attributed by US and allied agencies with large-scale persistent compromise of global telecommunications infrastructure. An FBI official confirmed at CyberTalks 2026 in February 2026 that the campaign was "still very, very much ongoing" and had affected at least 200 companies across 80 countries as of August 2025. Norway's Police Security Service (PST) confirmed in April 2026 that Norwegian telecoms infrastructure had been compromised, bringing the publicly confirmed country count above nine and marking the first Scandinavian disclosure. A 16-agency joint advisory published the same week formalised multi-national institutional response, naming Salt Typhoon and Volt Typhoon together and publishing indicators of compromise for allied network defenders.

Salt Typhoon became publicly known in late 2024 when US intelligence disclosed that the actor had compromised multiple major US telecoms carriers, including T-Mobile, AT&T and Verizon, gaining access to call data records (CDRs), real-time call interception capability for specific targets, and CALEA (Communications Assistance for Law Enforcement Act) lawful-intercept back-end systems. The latter, designed to allow lawful interception by US law enforcement, was accessed by the Chinese actors. The compromise scale was described by CISA director Jen Easterly in November 2024 as the "worst telecommunications hack in our nation's history".

The cross-topic significance is substantial. Salt Typhoon operates in the same Chinese state-nexus space as Volt Typhoon (CNI pre-positioning) and UNC5221 (BRICKSTORM enterprise espionage), suggesting a coordinated tri-vector Chinese cyber posture: SIGINT collection (Salt Typhoon), sabotage-ready positioning (Volt Typhoon), and long-duration economic espionage (UNC5221). For security operations teams in telecoms infrastructure organisations, the February 2026 FBI confirmation and the April 2026 Norwegian disclosure mean the incident window extends well beyond the initial 2024 disclosure, with European carriers now confirmed in scope.

How the World Sees Them

China

China denies the Salt Typhoon attribution. Ministry of Foreign Affairs stated in November 2024 that the claims were "fabricated".

United States

FBI and CISA have confirmed the breach and issued joint advisories. Congress has held hearings. Telecoms carriers face regulatory scrutiny over CALEA architecture security.

Allied nations

UK NCSC, Canadian CSE, Australian ASD and 13 other agencies co-authored a 16-agency joint advisory in April 2026. Norway's PST disclosed its own compromise the same week. Allied carriers are reviewing their own network visibility.

Civil liberties

Surveillance and digital-rights organisations have flagged the CALEA back-end access as a structural weakness in the US legal-intercept framework, arguing that lawful-intercept back-doors are inherently vulnerable to foreign exploitation.