Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

Norway joins the Salt Typhoon victim list

3 min read
08:16UTC

Norway's Police Security Service (PST) confirmed on 23 April that Norway is a Salt Typhoon victim, taking the public country count past nine.

TechnologyDeveloping
Key takeaway

PST's Salt Typhoon disclosure signals a Nordic-led wave of public attribution to come.

Norway's Police Security Service, PST, publicly confirmed Norway as a victim of the Salt Typhoon telecoms compromise on the day of the sixteen-agency advisory, taking the public country count past nine 1. PST timed the disclosure to the publication of the sixteen-agency joint advisory, using the document as the occasion to surface domestic caseload that had previously sat behind a classification boundary.

Salt Typhoon is the China-nexus actor that CISA and the FBI have tracked across 200+ telecoms operators in 80+ countries since the campaign first surfaced. The Norwegian disclosure does not add a different actor or instrument; it adds a jurisdiction inside a NATO-aligned Five Eyes-adjacent partner. PST is the first non-Five Eyes intelligence service to confirm Salt Typhoon victim status this calendar year.

PST's timing carries the operational signal. Norway is signalling that other participating Five Eyes-adjacents, the Netherlands, Germany, Spain, Sweden, Japan among the sixteen signatories, may follow with their own confirmations now that the headline document is in print. For procurement and risk Teams at telecoms operators across the Nordic and German-speaking markets, the read is that public exposure tracking is about to expand. The same coalition coordination that delivered the E-Note seizure is now being applied to attribution publication, with PST as the leading edge.

Deep Analysis

In plain English

Salt Typhoon is the name for a Chinese hacking campaign targeting telecoms companies, the firms that run phone calls and internet connections, across at least nine countries. PST, Norway's domestic security service, confirmed on 23 April that Norwegian telecoms networks were among the victims. Norway carries NATO Arctic communications through its cables and satellite ground stations, so the hackers may have sought transit data from allied military circuits rather than ordinary Norwegian phone calls.

Deep Analysis
Root Causes

Norway occupies a structurally attractive position for Salt Typhoon's telecoms-exploitation campaign: Telenor operates the Svalbard satellite ground station, the primary civilian satellite communications gateway for Arctic-region traffic, and Norwegian telecoms backhaul carries NATO northern-flank military communications under civilian contracts.

Salt Typhoon's primary intelligence value in a Norwegian network is therefore not Norwegian domestic communications but transit data from Arctic surveillance, submarine cable landing points, and allied military voice and data circuits that share civilian telecoms infrastructure.

The underlying structural cause is the absence of a mandatory disclosure framework for telecoms-sector breaches in Norway equivalent to the NIS2-derived obligations in EU member states. PST's confirmation was a voluntary choice; Norwegian law did not require it. That structural gap means Norway's disclosure signals PST's political judgment, not a legal trigger.

What could happen next?
  • Consequence

    PST's disclosure creates political precedent for the other fourteen advisory signatories to confirm or deny domestic Salt Typhoon victim status; Germany, Japan and Spain are the three with confirmed advisory involvement and no public national confirmation yet.

    Short term · 0.75
  • Risk

    Telecoms operators across Nordic and Baltic markets face elevated supervisory scrutiny from national cyber and intelligence agencies now that PST has set the public disclosure bar.

    Short term · 0.8
  • Precedent

    The PST timing model, national victim confirmation on the same day as a multilateral advisory, may become a standard diplomatic tool for Five Eyes-adjacent agencies to surface caseload without requiring a standalone national announcement.

    Medium term · 0.7
First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

NCSC UK· 30 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.