Norway just became the latest country to publicly finger China's Salt Typhoon hacking group for breaking into its infrastructure. The Norwegian Police Security Service disclosed Friday that the notorious state-sponsored crew infiltrated several organizations by exploiting vulnerable network devices. The admission puts Norway in growing company alongside the US and Canada, all grappling with what American officials have called an 'epoch-defining threat' to critical infrastructure and telecommunications networks worldwide.
The Norwegian government just confirmed what cybersecurity experts feared - China's Salt Typhoon hacking operation has spread deeper into European infrastructure than previously known. In a national threat assessment published Friday, Norway's Police Security Service revealed that the state-sponsored group successfully breached several organizations inside the country by exploiting vulnerable network devices.
The disclosure is thin on specifics but heavy on implications. Norway didn't name the targeted companies or reveal how long the hackers maintained access, but the admission alone signals a significant escalation in Salt Typhoon's documented reach. The Norwegian embassy in the US hasn't responded to requests for additional details, leaving critical questions about the breach's scope unanswered.
What's clear is that Norway now joins an uncomfortable club. The US and Canada have both confirmed Salt Typhoon intrusions into their telecommunications infrastructure over the past year, with American officials describing the threat as 'epoch-defining.' That's not hyperbole - the FBI disclosed in August 2025 that Salt Typhoon had compromised at least 200 US companies, many of them critical infrastructure operators.
The hacking group's playbook has remained consistent: target telecom providers and network infrastructure companies to establish long-term surveillance capabilities. In the US breaches, Salt Typhoon allegedly intercepted communications of senior politicians, a revelation that sent shockwaves through Washington and triggered new legislative proposals to force telecoms to upgrade security standards.
Verizon announced in December 2024 that it had secured its network after discovering Salt Typhoon's presence, but the damage was already done. The hackers had maintained access for months, possibly years, collecting intelligence on network architecture and customer communications. Canadian telecoms faced similar breaches, with government officials confirming espionage-focused intrusions in June 2025.
Norway's vulnerability likely mirrors what happened elsewhere - outdated network equipment with known security flaws became entry points for sophisticated attackers. The Norwegian Police Security Service specifically mentioned 'vulnerable network devices,' suggesting the hackers exploited unpatched hardware rather than deploying zero-day exploits. That's actually worse news for defenders, because it means basic security hygiene could have prevented the breach.
The timing of Norway's disclosure is notable. European governments have watched Salt Typhoon tear through North American infrastructure for over a year, but public confirmations of European victims have been scarce until now. Norway's willingness to publicly attribute the attacks to China-backed hackers suggests growing frustration with Beijing's cyber operations and possibly coordination with allied intelligence services.
For the broader telecom and infrastructure industry, Norway's admission should trigger immediate security audits. If Salt Typhoon successfully compromised Norwegian organizations using known vulnerabilities, every operator with similar equipment profiles faces identical risks. The group's methodology - patient reconnaissance, exploitation of legacy systems, and long-term persistence - means breaches often go undetected for extended periods.
China has consistently denied involvement in Salt Typhoon's operations, calling accusations 'baseless' despite mounting evidence from multiple intelligence agencies. But the pattern is unmistakable: telecoms and infrastructure operators in democratic nations with significant geopolitical interests find themselves repeatedly targeted by the same sophisticated toolsets and techniques.
What makes Salt Typhoon particularly dangerous isn't just the technical sophistication - it's the strategic patience. These aren't smash-and-grab ransomware operators. They're intelligence collectors building long-term surveillance capabilities inside critical infrastructure, positioning themselves to intercept communications or potentially disrupt services during future conflicts.
Norway's public confirmation that Salt Typhoon breached its infrastructure marks a turning point for European cybersecurity. What was treated as primarily a North American problem now demands continent-wide response. Every telecom operator and critical infrastructure company needs to assume they're either compromised or targeted, and act accordingly. The hackers aren't going away - they're just getting started. For Norway and its allies, the question isn't whether Salt Typhoon will strike again, but where they're already hiding undetected.
