Norway Flags Russian Cyber Espionage Campaign on Maritime Infrastructure

Norwegian security agencies have warned of increased Chinese and Russian intelligence operations in 2026, with maritime infrastructure a major target. This was revealed by the Norwegian Police Security Service (PST) in its 2026 national threat assessment, which was released last week. The report claims Norway is facing its most serious security situation since World War II.

In addition, PST noted that China and Russia have enhanced their abilities to conduct intelligence operations in Norway, primarily through the cyber domain. Iran has also infiltrated Swedish criminal networks with a presence in Norway for covert operations.

But Russia remains a major threat actor to Norway. The relations between the two countries have deteriorated in the past three years, especially due to Norway’s continued support for Ukraine. Norway is aligned with economic sanctions being implemented by the EU and the U.S against Russia. Other countermeasures by Norway include enforcing strict entry for Russian nationals and restricting access of Russian vessels to Norwegian ports. There is an exemption for Russian fishing vessels to access ports in Båtsfjord, Kirkenes and Tromsø.

PST sees Russian crews on civilian vessels registered in third countries representing a significant threat in 2026. There is a growing trend by Russia to use civilian vessels to perform reconnaissance on coastal and subsea infrastructure in Norway and other allied countries in Europe.

The assessment further highlighted the Chinese state-sponsored cyber espionage campaign, code-named Salt Typhoon, focused on breaching Norwegian critical infrastructure and telecommunication networks. PST said that Salt Typhoon has already targeted vulnerable network devices in Norway, although it did not name the organizations affected. China has also used Salt Typhoon to infiltrate telecom providers in Canada and the U.S.

The PST report coincided with a warning from Ukrainian computer emergency response team, CERT-UA, which flagged cyber breaches by a Kremlin-backed hacker group called Fancy Bear or APT28. The group is targeting public sector and logistics bodies in Romania, Slovakia and Ukraine. In a report last week, cyber security firm Trellix explained that APT28 is exploiting a vulnerability in Microsoft Office, which Microsoft revealed in late January. The vulnerability tracked as CVE-2026-21509 allows attackers to bypass critical security mitigations built into Microsoft Office and Microsoft 365.

Since the flaw was revealed, Trellix confirmed that it has observed an attack campaign by APT28, targeting maritime and transportation entities spread across Poland, Slovenia, Turkey, Greece and United Arab Emirates. These attacks were part of a concentrated 72-hour spear phishing campaign that sent around 29 distinct emails across nine Eastern European countries. The emails sent between January 28 and January 30, contained malicious Office documents, which triggered malware automatically without requiring user interaction.