Security expert warns Salt Typhoon is becoming 'more dangerous' after Norwegian authorities lift lid on critical infrastructure hacking campaign
Norwegian security organizations believe Chinese state-backed cyber espionage is only going to get worse
The Chinese-backed hacking group known as Salt Typhoon has waged successful espionage campaigns against an array of organizations across Norway, according to the Norwegian Police Security Service.
No details have been published on which companies were targeted or how long the attackers were able to maintain access.
However, the report warned Chinese security and intelligence services are increasingly carrying out intelligence operations in Norway, including cyber operations and the collection of human intelligence.
"In 2026, China will collect intelligence, reconnoiter Norwegian digital infrastructure and threaten groups and individuals to prevent them from criticizing the Chinese Communist Party," the report reads.
"An increasing number of operations are likely to be carried out by commercial cybersecurity contractors and individuals who are not trained intelligence personnel but act on behalf of Chinese security and intelligence services."
Norwegian authorities warned any organizations holding sensitive information to be on the alert, particularly those operating in national infrastructure domains.
Salt Typhoon has mainly focused on targets in the US and Canada, but analysis shows the group is expanding operations globally. In September last year, the FBI warned the group had hit organizations in as many as 80 countries altogether.
The US Cybersecurity and Infrastructure Security Agency (CISA) said it was mainly targeting telecommunications, government, transportation, lodging, and military infrastructure networks.
Salt Typhoon typically targets large backbone routers of major telecommunications providers and network infrastructure companies, as well as provider edge (PE) and customer edge (CE) routers.
They also leverage compromised devices and trusted connections to pivot into other networks, modifying routers to maintain persistent, long-term access to networks.
Salt Typhoon is getting bolder
Pete Luban, Field CISO at AttackIQ, warned the group is becoming “more dangerous with each successful infiltration” and has established itself as a key adversary for national security agencies globally.
Salt Typhoon gained notoriety after compromising email systems belonging to “very senior” US political figures as part of an intelligence gathering campaign.
These long-running campaigns have become a hallmark of the group, which also managed to avoid detection in US National Guard networks for nearly a year.
"Continued access into internal systems allows threat actors to establish long-term surveillance and position themselves to carry out destructive attacks with little to no advanced warning," Luban said.
"However, breaches like these also deal indirect damage by undermining the security of intelligence sharing networks. If Salt Typhoon can sow seeds of doubt into these networks, it could force allies to limit or restrict information sharing, ultimately weakening collective security."
Organizations are advised to identify where vulnerabilities might exist in their infrastructure and mitigate them before threat actors can exploit them.
These networks should be segmented from internet-facing systems, while enforcement of zero-trust access controls can also help contain any damages caused by Salt Typhoon if defenses are breached.
The report also warned that Chinese intelligence services are recruiting Norwegian nationals to gain access to sensitive and classified information.
Often, those being recruited don't know they're working for Chinese intelligence, thinking they're employed by a think tank, an international company, a consultancy firm or similar.
"Sources are initially asked to provide non-public information in exchange for payment, such as details on the activities or plans of companies, public sector organisations of political institutions," it said.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Google says AI is now being used to build zero-day exploitsNews Google cyber researchers think they’ve found the first AI-generated zero-day exploit
-
Changes to EU AI Act implementation deadlines welcomed by industryNews New implementation deadlines for the EU AI Act could help remove “genuine friction” for European companies
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surge
News Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
-
DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costsNews While these malware campaigns are very basic, researchers noted “they still work”
-
The FBI has seized the RAMP hacking forum, but will the takedown stick? History tells us otherwiseNews Billing itself as the “only place ransomware allowed", RAMP catered mainly for Russian-speaking cyber criminals
-
Microsoft just took down notorious cyber crime marketplace RedVDS – and found hackers were using ChatGPT and its own Copilot tool to wage attacksNews Microsoft worked closely with law enforcement to take down the notorious RedVDS cyber crime service – and found tools like ChatGPT and its own Copilot were being used by hackers.
