Norway Says Chinese Hackers Breached Its Networks in Most Serious Threat Since WWII

Norway Confirms the Breach

The Norwegian Police Security Service, known as PST, announced on February 6 that Chinese backed hackers have successfully targeted Norwegian companies and critical infrastructure. The agency directly attributed the attacks to Salt Typhoon, a hacking group believed to operate on behalf of China's Ministry of State Security.

Norwegian officials characterized the situation as the most serious security situation the country has faced since World War II. The assessment reflects not just this single breach, but an escalating pattern of cyber operations from China, Russia, and Iran that intelligence services say now poses an existential threat to national security.

How Salt Typhoon Operates

Salt Typhoon specializes in compromising network edge devices that form the foundation of organizational connectivity. The Norwegian disclosure confirmed that the group targeted:

• Routers: The devices that direct network traffic between internal systems and the internet
• Firewalls: Security appliances that control what traffic enters and leaves networks
• VPN appliances: Systems that enable secure remote access for employees and partners

By targeting these devices, Salt Typhoon gains persistent access with minimal footprint on individual workstations. Traditional endpoint security tools cannot detect malware running on network equipment, making these intrusions extremely difficult to identify and remove.

A Pattern Across Allied Nations

Norway is the latest country to publicly confirm a Salt Typhoon intrusion, joining a growing list of allied nations acknowledging Chinese espionage operations against their infrastructure. The United States disclosed last year that Salt Typhoon had compromised major telecommunications providers, gaining access to sensitive communications and government networks.

The group has reportedly intercepted communications of senior politicians across multiple countries. In the United States, investigators found evidence that Salt Typhoon had accessed systems used for lawful wiretapping, potentially giving Chinese intelligence services visibility into American surveillance operations.

European governments have watched Salt Typhoon tear through North American infrastructure for over a year, but public confirmations of European victims have been rare until now. Norway's willingness to attribute the attacks directly to China backed hackers suggests growing frustration with Beijing's cyber operations and possible coordination with allied intelligence services on public disclosure.

Why Norway Matters

Norway holds strategic importance beyond its modest population. The country shares an Arctic border with Russia, hosts NATO military installations, and operates critical undersea fiber optic cables that carry transatlantic internet traffic. Norwegian energy companies are major suppliers of oil and natural gas to European markets.

Access to Norwegian networks could provide intelligence on NATO operations, energy sector information, and insights into European diplomatic communications. The PST assessment that this represents the most serious threat since World War II reflects both the scope of the compromise and the strategic value of the targets.

What Organizations Should Do

The Salt Typhoon campaigns underscore that edge device security remains a critical weakness for most organizations. The US Cybersecurity and Infrastructure Security Agency recently mandated that federal agencies remove end of life network devices within 12 months, citing persistent campaigns targeting this infrastructure.

Recommendations for organizations concerned about state sponsored threats:

• Maintain current firmware on all routers, firewalls, and VPN appliances
• Replace devices that no longer receive security updates from manufacturers
• Monitor network traffic for unusual patterns or connections to unexpected destinations
• Implement network segmentation to limit lateral movement if devices are compromised
• Consider threat intelligence feeds that track known Salt Typhoon infrastructure

The Broader Implications

Norway's disclosure represents a shift in how Western governments are handling Chinese cyber espionage. Rather than quietly addressing breaches through diplomatic channels, allied nations appear increasingly willing to make public attributions that directly name Beijing as responsible.

Whether this transparency will deter future operations remains uncertain. Salt Typhoon's command and control infrastructure continues to operate, and the group shows no signs of reducing its activities. For organizations in strategic sectors, the Norwegian announcement is a reminder that state sponsored hackers are not just targeting obvious targets like defense contractors, but the entire network infrastructure that modern commerce and communication depends upon.