30APR

Norway joins the Salt Typhoon victim list

3 min read

08:16UTC

Norway's Police Security Service (PST) confirmed on 23 April that Norway is a Salt Typhoon victim, taking the public country count past nine.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyDeveloping

Key takeaway

PST's Salt Typhoon disclosure signals a Nordic-led wave of public attribution to come.

Norway's Police Security Service, PST, publicly confirmed Norway as a victim of the Salt Typhoon telecoms compromise on the day of the sixteen-agency advisory, taking the public country count past nine ¹. PST timed the disclosure to the publication of the sixteen-agency joint advisory, using the document as the occasion to surface domestic caseload that had previously sat behind a classification boundary.

Salt Typhoon is the China-nexus actor that CISA and the FBI have tracked across 200+ telecoms operators in 80+ countries since the campaign first surfaced. The Norwegian disclosure does not add a different actor or instrument; it adds a jurisdiction inside a NATO-aligned Five Eyes-adjacent partner. PST is the first non-Five Eyes intelligence service to confirm Salt Typhoon victim status this calendar year.

PST's timing carries the operational signal. Norway is signalling that other participating Five Eyes-adjacents, the Netherlands, Germany, Spain, Sweden, Japan among the sixteen signatories, may follow with their own confirmations now that the headline document is in print. For procurement and risk Teams at telecoms operators across the Nordic and German-speaking markets, the read is that public exposure tracking is about to expand. The same coalition coordination that delivered the E-Note seizure is now being applied to attribution publication, with PST as the leading edge.

Deep Analysis

In plain English

Salt Typhoon is the name for a Chinese hacking campaign targeting telecoms companies, the firms that run phone calls and internet connections, across at least nine countries. PST, Norway's domestic security service, confirmed on 23 April that Norwegian telecoms networks were among the victims. Norway carries NATO Arctic communications through its cables and satellite ground stations, so the hackers may have sought transit data from allied military circuits rather than ordinary Norwegian phone calls.

Deep Analysis

Root Causes

Norway occupies a structurally attractive position for Salt Typhoon's telecoms-exploitation campaign: Telenor operates the Svalbard satellite ground station, the primary civilian satellite communications gateway for Arctic-region traffic, and Norwegian telecoms backhaul carries NATO northern-flank military communications under civilian contracts.

Salt Typhoon's primary intelligence value in a Norwegian network is therefore not Norwegian domestic communications but transit data from Arctic surveillance, submarine cable landing points, and allied military voice and data circuits that share civilian telecoms infrastructure.

The underlying structural cause is the absence of a mandatory disclosure framework for telecoms-sector breaches in Norway equivalent to the NIS2-derived obligations in EU member states. PST's confirmation was a voluntary choice; Norwegian law did not require it. That structural gap means Norway's disclosure signals PST's political judgment, not a legal trigger.

What could happen next?

Consequence
PST's disclosure creates political precedent for the other fourteen advisory signatories to confirm or deny domestic Salt Typhoon victim status; Germany, Japan and Spain are the three with confirmed advisory involvement and no public national confirmation yet.
Short term · 0.75
Risk
Telecoms operators across Nordic and Baltic markets face elevated supervisory scrutiny from national cyber and intelligence agencies now that PST has set the public disclosure bar.
Short term · 0.8
Precedent
The PST timing model, national victim confirmation on the same day as a multilateral advisory, may become a standard diplomatic tool for Five Eyes-adjacent agencies to surface caseload without requiring a standalone national announcement.
Medium term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Following the 2017 NCSC-led APT10 advisory, Japan's Cabinet Cyber Security Centre and Australia's ASD both confirmed domestic victim counts within weeks of the co-signed statement, using the multilateral document as political cover for domestically sensitive disclosures.

PST's 23 April Salt Typhoon confirmation reproduces the same sequencing exactly: the sixteen-agency advisory is published, a Five Eyes-adjacent agency files behind it with domestic caseload. The APT10 sequence produced six additional national confirmations within 90 days of the initial co-sign; the same pattern is the base case here.

Counter-parallel: Germany's Federal Office for the Protection of the Constitution (BfV) confirmed Volt Typhoon targeting of German critical infrastructure in early 2025 but declined to specify victim sectors or provide dwell data, citing ongoing proceedings. BfV signed the 23 April advisory; a Salt Typhoon confirmation without sector detail would follow the BfV pattern rather than the PST pattern, leaving the public country count figure without operational texture.

Consensus view: RAND Europe's cyber and technology policy team assesses that PST's Salt Typhoon disclosure follows a now-established Nordic intelligence transparency pattern: Scandinavian agencies use major multilateral publications as political cover to surface caseload that domestic politics would otherwise require to stay classified.

Sweden's SÄPO followed the same timing logic when confirming APT28 targeting of Swedish institutions alongside the 2024 NCSC-led attribution advisory. PST's press office confirmed the disclosure was timed to coincide with the advisory publication rather than driven by a new detection event.

Counter-view: The Norwegian Institute for Defence Studies (IFS) cautions that PST's confirmation of victim status does not imply Norwegian telecoms operators were primary Salt Typhoon targets. Norway's telecoms infrastructure connects Arctic surveillance and NATO's northern flank communications; Salt Typhoon's primary intelligence objective may have been transit data, not Norwegian domestic communications, making Norway a secondary harvest rather than a targeted campaign.

Key tension: Whether PST's disclosure signals that other non-Five Eyes signatories of the sixteen-agency advisory, particularly Germany, Japan and Spain, will follow with their own national victim confirmations, which would raise the public country count substantially beyond nine.

Sources:NCSC UK

Mentions:Norway →Spain →NATO →Germany →China →NCSC →CISA →Netherlands →APT28 →E-Note →Sweden →Japan →FBI →ASD →Salt Typhoon →PST →Flax Typhoon →Volt Typhoon →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

NCSC UK· 30 Apr 2026

Read original →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.