Salt Typhoon Expands Beyond the US: Singapore and Norway Telecom Networks Targeted

The Salt Typhoon campaign — a Chinese state-sponsored espionage operation targeting telecommunications infrastructure — has expanded significantly beyond its original US focus. In February 2026, Singapore formally attributed attacks on four of its largest telecom providers to Salt Typhoon, and Norway's Police Security Service confirmed that Norwegian organizations were targeted through vulnerable network devices.

Singapore Attribution

On February 10, 2026, Singapore's government publicly attributed cyberattacks on Singtel, StarHub, M1, and Simba Telecom to the Salt Typhoon threat actor. These four companies constitute the core of Singapore's telecommunications infrastructure, serving the vast majority of the city-state's mobile and fixed-line subscribers. Singapore's decision to publicly name Salt Typhoon — and by extension, attribute the attacks to a Chinese state-sponsored group — is significant. Singapore has historically been cautious about public attribution of state-sponsored cyber activity, particularly when it involves China, its largest trading partner.

Norway Targeted

Norway's Police Security Service (PST) announced on February 6 that Salt Typhoon had targeted Norwegian organizations through exploitation of vulnerable network devices — the same general attack pattern used in the US and Singapore campaigns. The specific Norwegian targets were not publicly named, but the reference to network devices aligns with Salt Typhoon's known tradecraft of exploiting edge networking equipment — routers, firewalls, and VPN appliances — to gain persistent access to carrier networks.

US Congressional Pressure

In the United States, the political dimension of the Salt Typhoon campaign intensified. On February 3, Senator Maria Cantwell accused AT&T and Verizon of blocking the release of security assessment reports produced by Mandiant, the Google-owned incident response firm that investigated the Salt Typhoon intrusions into US telecom networks. Cantwell called for AT&T and Verizon CEOs to testify before Congress about the scope of the compromise and the carriers' remediation efforts.

The FBI stated publicly that the Salt Typhoon threat is "still very, very much ongoing" — a characterization that suggests the threat actor has not been fully ejected from all compromised networks, or that new intrusion attempts continue to be detected.

The Broader Campaign

Salt Typhoon is classified as a Chinese state-sponsored threat actor whose primary mission is intelligence collection through telecommunications infrastructure. By compromising carrier networks, Salt Typhoon can intercept call metadata, text messages, and potentially voice communications for targeted individuals — including government officials, corporate executives, and intelligence targets. The expansion to Singapore and Norway confirms that the campaign is global in scope, not limited to US interests, and is actively targeting the telecommunications backbone of allied nations across multiple continents.

For telecom operators worldwide, the Salt Typhoon campaign has become the defining infrastructure security threat of 2025-2026. The FBI's characterization of the threat as ongoing means that defensive measures must assume continued adversary activity rather than a concluded incident.