{"id":26690,"date":"2026-02-14T10:00:42","date_gmt":"2026-02-14T09:00:42","guid":{"rendered":"https:\/\/smecyberinsights.co.uk\/?p=26690"},"modified":"2026-02-18T10:36:09","modified_gmt":"2026-02-18T09:36:09","slug":"china-state-actor-salt-typhoon","status":"publish","type":"post","link":"https:\/\/smecyberinsights.co.uk\/index.php\/2026\/02\/14\/china-state-actor-salt-typhoon\/","title":{"rendered":"PST warning: Salt Typhoon and the contractor-linked model behind critical infrastructure hacking"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\"Partners1_NordVPN\"<\/figure><\/div>
\"Partners3_R3\"<\/figure><\/div>
\"Partners2_Zoho\"<\/figure><\/div>
\"Partners4_Plesk\"<\/figure><\/div>
\"Partners7_Passware\"<\/figure><\/div>
\"Red_Button_Slider\"<\/figure><\/div>
\"ogo2\"<\/figure><\/div>
\"Detection.<\/figure><\/div>\t\t\t<\/div>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"PST\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
Image Credit: www.slon.pics<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"nordvpn-internet-security-privacy\"\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Helping Keep Small Business CYBERSafe!
\n<\/strong>Gibraltar: Saturday 14 February 2026 at 11:00 CET<\/p>\n

PST warning: Salt Typhoon and the contractor-linked model behind critical infrastructure hacking
\n<\/strong>By Iain Fraser<\/a> – Cybersecurity Journalist Authority Writer & Publisher
\n<\/a>IfOnlyCommunications
\n<\/a>Published in Collaboration with: Nord VPN<\/a>
\nSMECyberInsights.co.uk<\/a> –\u00a0<\/a>First for SME Cybersecurity
\n<\/a>Google Indexed on 140226 at 12:20 CET<\/a>
\n#CyberSecurity #cybersecurity #Reportage #riskmanagement #stateactors #salttyphoon #CyberJourno
\n<\/em><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"Nord\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

PST\u2019s warning is bigger than one campaign: Salt Typhoon, contractor-linked tradecraft, and critical infrastructure reconnaissance UK advisers cannot ignore<\/strong><\/p>\n

This is my analysis and report of a recent study by PST examining Norway\u2019s National Threat Assessment 2026<\/em> for UK clients and boards:<\/p>\n

* Salt Typhoon is not abstract<\/strong>; PST says it \u201chas compromised vulnerable network devices in Norwegian organisations\u201d (PST, 2026, p12).<\/p>\n

* PST highlights how private contractors can amplify state capability<\/strong>, linking Salt Typhoon to private Chinese cybersecurity firms (PST, 2026, p12).<\/p>\n

* PST\u2019s Russia section is explicit about critical infrastructure reconnaissance<\/strong>\u00a0and how vulnerability knowledge can support \u201cinfluence and sabotage\u201d in a worst-case scenario (PST, 2026, p12).<\/p>\n

* The UK takeaway is not \u201cpanic\u201d. It is assurance<\/strong>; control of edge devices, identity, supplier access, and recoverability evidence.<\/p>\n

* Be careful with language. PST\u2019s \u201cso dangerous\u201d phrasing appears in a section on anti-government actors and violence<\/strong>, not cyber campaigns (PST, 2026, p23).<\/p>\n

What PST actually says about Salt Typhoon (and why it matters)<\/strong><\/p>\n

PST\u2019s most operationally relevant Salt Typhoon passage is short and unusually concrete. It asserts both impact and method:<\/p>\n

\u201cThe Chinese cyber threat actor known as Salt Typhoon is an example of an actor who has compromised vulnerable network devices in Norwegian organisations.\u201d (PST, National Threat Assessment 2026<\/em>, p12)<\/p>\n

For UK advisers, \u201cvulnerable network devices\u201d should ring louder than the actor\u2019s name. That phrase typically maps to internet-facing infrastructure such as VPNs, firewalls, gateways, and edge appliances where patching gaps and weak admin practices create a high-leverage entry point.<\/p>\n

PST then adds two details that should shape how analysts brief boards.<\/p>\n

First, it leans on US reporting for sector focus:<\/p>\n

\u201cUS authorities describe this actor as specialising in cyber operations targeting telecommunications infrastructure.\u201d (PST, 2026, p12)<\/p>\n

Second, it explicitly calls out contractor enablement:<\/p>\n

\u201cSalt Typhoon is linked to private Chinese cybersecurity firms, illustrating the central role of private contractors in Chinese cyber operations and how they help enhance the capacity of Chinese security and intelligence services.\u201d (PST, 2026, p12)<\/p>\n

That last sentence is the strategic tell. It supports a sober conclusion: capability scaling is not only about elite state units. It can be industrialised via contractors. For UK corporates, that increases the odds of persistent, repeatable targeting patterns against common technologies and shared suppliers.<\/p>\n

Critical infrastructure reconnaissance; PST\u2019s Russia framing is a template<\/strong><\/p>\n

PST\u2019s Russia section is not about Salt Typhoon, but it is essential context for UK resilience thinking because it states the pathway from mapping to coercion:<\/p>\n

\u201cRussia reconnoitres Norway\u2019s critical infrastructure and identifies vulnerabilities. This information can subsequently be used in intelligence, influence and sabotage activities. In the worst case, Russia could use this information to its advantage in a potential armed conflict.\u201d<\/em><\/strong><\/p>\n

UK advisers should treat this as a model for how security services think about critical infrastructure risk over time<\/em><\/strong>. Reconnaissance plus vulnerability knowledge reduces the time and uncertainty required to escalate later. It also changes what \u201cgood\u201d looks like in governance; the goal is not perfect prevention. The goal is reducing pre-positioning opportunities and proving you can contain and recover.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\"PST\t\t\t\t\t\t\t\t\t\t\t
Image Credit: www.slon.pics<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Analyst lens; what boards tend to miss<\/strong><\/p>\n

1) Espionage is an operational risk multiplier<\/strong><\/p>\n

Even when the immediate objective is intelligence collection, access to operational dependencies, supplier relationships, and recovery procedures can become a disruption accelerator later.<\/p>\n

2) Edge exposure is still the front door<\/strong><\/p>\n

PST\u2019s \u201cvulnerable network devices\u201d wording should prompt immediate questions about patch governance, asset visibility, and whether suppliers operate or manage any exposed infrastructure on a client\u2019s behalf.<\/p>\n

3) Do not overfit rhetoric across chapters<\/strong><\/p>\n

PST uses \u201cso dangerous\u201d language here:<\/p>\n

\u201cThe enemy is at times framed as so dangerous and malevolent that certain individuals ultimately perceive violence as a necessary response.\u201d (PST, 2026, p23)<\/p>\n

But that appears in a section on anti-government actors and violence, not cyber operations. Advisers should avoid blending emotionally charged language into cyber threat briefings unless the source clearly intends it.<\/p>\n

What good looks like; UK actions that stand up in board minutes<\/strong><\/p>\n

Do now (7\u201330 days)<\/strong><\/p>\n

* Edge device exposure sweep<\/strong>: inventory all internet-facing appliances; confirm patch levels; remove legacy remote access paths; validate secure admin access.<\/p>\n

* Privileged access controls<\/strong>: reduce standing admin rights; enforce strong MFA for administrators; review service accounts and remote management tools.<\/p>\n

* Supplier access mapping<\/strong>: list third parties with remote\/admin access; verify authentication strength; ensure logging is enabled and reviewed.<\/p>\n

* Detection focus shift<\/strong>: prioritise alerts for credential abuse and administrative tooling over malware-only signals.<\/p>\n

Do next (this quarter)<\/strong><\/p>\n

* Network segmentation around crown jewels<\/strong>: make lateral movement harder and noisier.<\/p>\n

* Recovery evidence<\/strong>: run at least one technical restore test for a critical service and capture results for audit and insurer conversations.<\/p>\n

* Assurance narrative<\/strong>: map to NCSC guidance and Cyber Essentials as baseline, then add \u201cbeyond baseline\u201d controls where risk justifies it.<\/p>\n

Measure; four board-friendly indicators<\/strong><\/p>\n

* Percentage of internet-facing devices under verified patch SLAs<\/p>\n

* Percentage of privileged accounts with strong MFA and continuous monitoring<\/p>\n

* Number of third parties with persistent admin access to critical systems<\/p>\n

* Proven recovery time for critical services from real tests, not tabletops<\/p>\n

Mini-scenario; how this plays out in a UK corporate<\/strong><\/p>\n

A UK firm has several remote-access appliances managed by a third party. One device falls behind on patches. An attacker compromises it, then uses valid credentials to expand access quietly. There is no ransomware. The attacker maps systems, dependencies, and supplier pathways, and collects documentation. Months later, a second event escalates faster because the attacker already understands the environment.<\/p>\n

Board Questions (use on one slide)<\/strong><\/p>\n

* Which services are our \u201ccrown jewels\u201d, and who is accountable for their resilience<\/p>\n

* Which internet-facing devices do we run, and can we evidence patch compliance<\/p>\n

* Which suppliers have admin access to critical systems, and how is it controlled and logged<\/p>\n

* What would our telemetry show if valid credentials were abused<\/p>\n

* How quickly can we contain admin misuse without disrupting operations<\/p>\n

* When did we last prove recovery of a critical service end to end<\/p>\n

* What would we disclose, and on what timeline, if sensitive data access is suspected<\/p>\n

If you advise UK boards, turn PST\u2019s warning into a one-page \u201cpre-positioning risk\u201d brief: edge exposure status, privileged access posture, third-party access inventory, and last recovery test results. That is the artefact executives can act on this quarter.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tRead Full Report\/ \u2026<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"Nord\"\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

What is a VPN & Does my SME Need one?<\/strong> A VPN<\/strong><\/a> is a Virtual Private Network a method of securing your communications credentials. When it comes to SMEs<\/strong><\/a>, the choice of VPNs<\/strong><\/a> can significantly impact the security and efficiency of their operations. NordVPN<\/b> secures your Internet data with military-grade encryption, ensures your activity remains private and helps bypass geographic content restrictions online.\u00a0 \u00a0Join\u00a0NordVPN\u00a0Today and\u00a0Save\u00a0up to\u00a073%\u00a0and Get 3 months\u00a0Extra Free<\/a> – Rude Not to \u2026!<\/strong><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tLearn More \/...<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"Data<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>
\"CI_Feature<\/figure><\/div>\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t<\/path><\/svg>\t\t\t\t\t<\/div>\n\t\t\t\t\t
\n\t\t\t\t\t\t<\/path><\/svg>\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Image Credit: www.slon.pics Image Credit: www.slon.pics Read Full Report\/ \u2026 Learn More \/…<\/p>\n","protected":false},"author":1,"featured_media":26691,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"cybocfi_hide_featured_image":"yes","footnotes":""},"categories":[594],"tags":[450],"ppma_author":[505],"class_list":["post-26690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-reportage","tag-cybersecurity-journalist"],"featured_image_urls":{"full":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-scaled.jpg",2560,1707,false],"thumbnail":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-150x150.jpg",150,150,true],"medium":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-300x200.jpg",300,200,true],"medium_large":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-768x512.jpg",640,427,true],"large":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-1024x683.jpg",640,427,true],"1536x1536":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-1536x1024.jpg",1536,1024,true],"2048x2048":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-2048x1365.jpg",2048,1365,true],"covernews-featured":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-1024x683.jpg",1024,683,true],"covernews-medium":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2026\/02\/flag-china_compressed-540x340.jpg",540,340,true]},"author_info":{"display_name":"Cybersecurity Journalist Iain Fraser","author_link":false},"category_info":"REPORTAGE<\/a>","tag_info":"REPORTAGE","comment_count":"0","authors":[{"term_id":505,"user_id":1,"is_guest":0,"slug":"admin_yjdstq4n","display_name":"Cybersecurity Journalist Iain Fraser","avatar_url":{"url":"https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/10\/index_image440-removebg-preview.png","url2x":"https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/10\/index_image440-removebg-preview.png"},"0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/26690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=26690"}],"version-history":[{"count":7,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/26690\/revisions"}],"predecessor-version":[{"id":26716,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/26690\/revisions\/26716"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/media\/26691"}],"wp:attachment":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=26690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=26690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=26690"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/ppma_author?post=26690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}