For years, the cybersecurity community has tracked Salt Typhoon — a Chinese state-sponsored hacking group — as it methodically infiltrated telecommunications networks across the United States. Now, the group’s operations have expanded into Scandinavia, with confirmed breaches of Norwegian companies marking a significant escalation in Beijing’s global cyber espionage campaign. The revelation underscores how no nation, regardless of its cybersecurity posture, is immune to the reach of China’s most sophisticated digital operatives.

According to TechCrunch, Norway’s national security authority, Nasjonal Sikkerhetsmyndighet (NSM), confirmed that Salt Typhoon hackers successfully compromised Norwegian companies. The breaches represent the first publicly acknowledged Salt Typhoon intrusions in a Nordic country, extending the group’s known operational footprint well beyond the American telecommunications sector where it first gained international notoriety.

From American Telecoms to Scandinavian Targets

Salt Typhoon — also tracked under names including FamousSparrow, GhostEmperor, and Earth Estries by various cybersecurity firms — first drew widespread attention in late 2024 when U.S. officials revealed that the group had infiltrated at least nine major American telecommunications providers. The breaches were staggering in scope: hackers gained access to the call records of millions of Americans and, in some cases, intercepted real-time communications of senior government officials and political figures. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) described the campaign as one of the most significant intelligence compromises in recent American history.

The Norwegian breaches suggest that Salt Typhoon’s ambitions extend far beyond gathering intelligence on American political figures and government operations. Norway, a NATO member with a strategic Arctic position and significant energy infrastructure, presents a high-value target for Chinese intelligence collection. The country’s telecommunications infrastructure serves as a conduit for sensitive government, military, and commercial communications, making it a logical target for a group whose primary mission appears to be intercepting communications at scale.

Norway’s Security Apparatus Responds

NSM’s confirmation of the breaches was notable for its directness. Norwegian authorities did not mince words in attributing the intrusions to Salt Typhoon, aligning with a broader Western trend of publicly naming Chinese state-sponsored hacking groups. This approach, once considered diplomatically risky, has become standard practice among NATO allies seeking to impose reputational costs on Beijing’s cyber operations. The Norwegian government has historically been cautious in its public attributions of cyberattacks, making this disclosure all the more significant.

The specific Norwegian companies targeted have not been publicly identified, though reporting from TechCrunch indicates that the breaches affected organizations in sectors considered critical to national security. Cybersecurity analysts familiar with Salt Typhoon’s operational patterns have noted that the group typically targets telecommunications providers, internet service providers, and managed service providers — organizations that serve as chokepoints for vast quantities of communications data. By compromising these upstream providers, Salt Typhoon can gain access to the communications of thousands of downstream targets without having to breach each one individually.

A Playbook Refined Through Years of Operations

Salt Typhoon’s technical tradecraft has evolved considerably since its earliest known operations. The group is known for exploiting vulnerabilities in internet-facing network equipment, including routers, firewalls, and VPN appliances manufactured by companies such as Cisco, Fortinet, and Barracuda. Once inside a network, the hackers deploy custom malware and leverage legitimate system administration tools — a technique known as “living off the land” — to move laterally through networks while evading detection. This approach allows them to maintain persistent access for months or even years before being discovered.

In the American telecom breaches, Salt Typhoon exploited weaknesses in lawful intercept systems — the infrastructure that telecommunications companies maintain to comply with court-ordered wiretapping requests. By compromising these systems, the hackers effectively turned the surveillance apparatus of democratic governments against themselves, gaining access to the very tools designed to monitor criminal and national security targets. Whether similar lawful intercept systems were compromised in the Norwegian breaches remains unclear, but the possibility has raised alarm among European security officials.

The Geopolitical Dimensions of Beijing’s Cyber Campaign

China’s cyber espionage operations have grown increasingly aggressive in recent years, with multiple groups operating under the “Typhoon” designation drawing attention from Western intelligence agencies. While Salt Typhoon focuses on telecommunications and communications interception, its sibling group Volt Typhoon has been linked to the pre-positioning of malware in critical infrastructure — including water systems, energy grids, and transportation networks — that could be activated during a geopolitical crisis. Together, these campaigns represent a comprehensive Chinese strategy to establish persistent access to the digital infrastructure of rival nations.

The targeting of Norway carries particular strategic significance. As a major producer of oil and natural gas, Norway has become even more critical to European energy security following Russia’s invasion of Ukraine and the subsequent disruption of Russian gas supplies to the continent. Norwegian undersea cables and energy infrastructure have already been the subject of security concerns, with several incidents of suspected sabotage or surveillance near subsea pipelines and data cables in the North Sea. The addition of Salt Typhoon’s cyber operations to this threat picture creates a multi-domain challenge for Norwegian defense planners.

Western Allies Grapple with an Expanding Threat

The Norwegian breaches come at a time when Western governments are struggling to mount an effective collective response to Chinese cyber espionage. In the United States, the Salt Typhoon telecoms hack prompted a flurry of legislative activity, with lawmakers calling for mandatory cybersecurity standards for telecommunications providers and increased funding for CISA. The Federal Communications Commission has also moved to require telecom companies to certify that they have implemented adequate cybersecurity measures, though critics argue that these steps are too little, too late.

European governments face their own challenges. The European Union’s NIS2 Directive, which took effect in October 2024, imposes stricter cybersecurity requirements on operators of essential services, including telecommunications providers. However, implementation has been uneven across member states, and Norway — as a member of the European Economic Area but not the EU — navigates its own regulatory framework. The Salt Typhoon breaches may accelerate Norwegian efforts to strengthen cybersecurity requirements for critical infrastructure operators, much as the American breaches prompted regulatory action in Washington.

Industry Experts Sound the Alarm on Telecom Vulnerabilities

Cybersecurity professionals have long warned that telecommunications networks represent uniquely attractive targets for state-sponsored hackers. Unlike traditional corporate networks, telecom infrastructure is designed to be highly interconnected, with multiple points of access and complex interdependencies between equipment from different vendors. This complexity creates an expansive attack surface that is difficult to monitor and defend. The challenge is compounded by the fact that many telecom networks still rely on legacy equipment that was not designed with modern cybersecurity threats in mind.

The Salt Typhoon campaign has also reignited debates about the security of equipment from Chinese manufacturers, particularly Huawei and ZTE. While Norway and several other Western nations have moved to restrict or ban Chinese-made telecommunications equipment from their 5G networks, the Salt Typhoon breaches demonstrate that Chinese hackers do not need Chinese-made equipment to compromise foreign networks. The group has proven adept at exploiting vulnerabilities in Western-manufactured equipment, undermining the argument that simply excluding Chinese hardware is sufficient to secure telecommunications infrastructure.

What Comes Next for Global Cybersecurity Cooperation

The expansion of Salt Typhoon’s operations into Norway is likely to intensify discussions among NATO allies about collective cyber defense. NATO has increasingly recognized cyberspace as an operational domain, and the alliance’s Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, has been working to develop frameworks for collective response to state-sponsored cyberattacks. However, translating these frameworks into effective action remains a work in progress, particularly when it comes to responding to espionage operations that fall below the threshold of armed conflict.

For Norway and other targeted nations, the immediate priority is identifying the full scope of Salt Typhoon’s access and ensuring that the hackers have been fully expelled from compromised networks. History suggests this will be a difficult and time-consuming process. In the American telecom breaches, officials acknowledged that some of the compromised networks had not been fully remediated months after the intrusions were first discovered. The persistent nature of Salt Typhoon’s access — and the group’s demonstrated ability to regain entry after being detected — means that affected organizations face an ongoing battle to secure their networks.

The Norwegian breaches serve as a stark reminder that state-sponsored cyber espionage is a global problem that requires a global response. As Salt Typhoon continues to expand its target list, the question for Western governments is no longer whether their networks will be targeted, but whether they can detect and respond to intrusions before the damage is done. For the telecommunications sector in particular, the era of treating cybersecurity as a secondary concern is definitively over.