The Silent Siege

Telia Norge was compromised for 18 months. 500,000 customers exposed. The breach reveals what happens when we treat connectivity as a consumer product instead of critical infrastructure.

9 min read By Mr. 0

The Silent Siege — Audio

Listen to the audio dispatch for this signal.

0:00 0:00

FTRCRP // SIGNALS

The Silent Siege

For eighteen months, a criminal group calling themselves “PayoutsKING” lived inside Telia Norge’s IT systems. They walked through terminal server accounts, copied entire employee desktops, harvested passwords, salary slips, employment contracts, and building access codes. They siphoned 2.5 terabytes of data, roughly 690,000 files, from one of Scandinavia’s largest telecom providers. Nobody noticed

When Telia finally detected the intrusion in November 2025, the damage was already done. Half a million broadband and TV customers exposed. Over 3,000 corporate clients. At least 17 Norwegian municipalities, including Bergen, where call and SMS metadata for 2,500 municipal employees and politicians from 2021 through April 2025 ended up on the dark web (Digi.no, 2026a)

And here is the part that should keep you awake. Telia does not only sell you broadband, they provide infrastructure to the Norwegian Armed Forces, the Police, DSB, Skatteetaten, the Foreign Ministry. Thirty thousand business customers. Nineteen municipalities on the Østlandet alone through a single framework agreement (Bergens Tidende, 2026). When an operator of this scale is compromised for a year and a half, the blast radius covers more than the customer base, it creates a map of how this country communicates

It Is Always Worse Than They Say

Telia CEO Bjørn Ivar Moen told the press this was “a bigger issue than we thought” (Digi.no, 2026b). That phrase should be tattooed on the forehead of every CISO in Norway. It is always bigger than they thought, it is always worse than the first disclosure

Nine hundred people had their fødselsnummer exposed. Not through some sophisticated exploit, but because copies of identity documents and powers of attorney were sitting in file shares accessible through the same terminal server environment the attackers had already owned for over a year (Digi.no, 2026c). This is architectural negligence

The industry median dwell time for detected breaches in EMEA is 22 days (Mandiant, 2025). Even IBM’s broader metric, the mean time to identify a breach across all industries, sits at 194 days (IBM Security, 2024). Telia’s estimated 18 months is an outlier. That kind of dwell time is what you see in state-sponsored intrusions, not what you expect from a criminal extortion group

Something failed fundamentally here. Not a single alert, not one anomaly detection, not one suspicious data transfer flagged across 18 months and 2.5 terabytes of exfiltration. Either the monitoring was inadequate, or it did not exist

The Questions Nobody Asks Until It Is Too Late

Does your doctor’s office use Telia? What about your bank? Your insurance company? Your municipality?

Three thousand corporate clients had their contact persons, service configurations, and LAN IP addresses exposed. That last detail is the one that should concern security professionals. A leaked internal network topology goes beyond a privacy violation, it is reconnaissance, pre-packaged and delivered to anyone who downloads the dump

And for the half million private individuals whose names, addresses, emails, phone numbers, dates of birth, and IP addresses are now circulating…how many of them can identify a well-crafted phishing email? How many know what credential harvesting looks like? How many understand that the email from “their bank” asking them to verify their identity might be using their actual name, actual address, and actual date of birth, because that information is now available to anyone with a Tor browser?

No offence intended, but this is a genuine question. The data that was stolen is precisely the kind of data that makes social engineering work. A scammer no longer needs to guess, they have the answers

Now add AI to the equation. We are no longer talking about badly translated Nigerian prince emails, we are talking about perfectly written, contextually aware, individually targeted messages that reference your actual service provider, your actual address, your actual recent interactions. Can you tell the difference between a legitimate email from Telia about “updating your security settings after the breach” and a phishing email using the same data the breach exposed? Can your mother? Can your neighbour?

If It Quacks, It Most Certainly Is

Here is the broader picture, and it should make you uncomfortable

In 2017, China banned its cybersecurity researchers from participating in international hacking competitions like Pwn2Own, after Chinese teams had dominated the event, winning 80 percent of the prize money. They established the Tianfu Cup as a domestic replacement, effectively creating a talent pipeline into military and intelligence services

Then came the formal legislation. On 1 September 2021, China’s Regulations on the Management of Security Vulnerabilities in Network Products took effect (CAC, MIIT and MPS, 2021). The rules are straightforward, any vulnerability discovered must be reported to the Chinese government within 48 hours. Disclosure to overseas organisations or individuals is prohibited. Proof-of-concept exploit code cannot be published

The implications are staggering. China went from being one of the world’s largest contributors to global vulnerability disclosure, helping everyone patch their systems, to a systematic hoarding operation routing all discovered vulnerabilities to state offensive units. Cary and Del Rosso (2023) documented that the MSS operates a mandatory vulnerability database requiring over 1,100 researchers across 151 companies to deliver nearly 2,000 vulnerabilities annually, including at least 141 critical-severity flaws evaluated specifically for offensive exploitation. Microsoft attributed a measurable increase in Chinese zero-day deployments directly to this policy, noting that “the increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements” (Microsoft, 2022, p. 35)

Simen Bakke, senior information security adviser at Norway’s Police ICT Services and analyst at Stratagem, has written extensively about this shift. In his September 2024 analysis of Chinese cyber operations, he noted that Chinese cyber actors have “50 times as many cyber personnel as the FBI” and described the country’s whole-of-society approach to cyber mobilisation (Bakke, 2024b). His May 2024 piece argued that 53 percent of all attacks against IT systems occur without the victim organisation noticing anything (Bakke, 2024a). That was written before the Telia breach proved his point

Bakke has also documented how Stortinget’s Exchange servers were exposed directly to the internet in 2021, allowing Chinese actors to exfiltrate 4,000 emails. His warning about organisations exposing RDP connections to the internet reads like a prophecy of the Telia terminal server compromise, “organisations that make RDP connections accessible from the internet are essentially inviting attackers into their own systems” (Bakke, 2024a)

Connectivity Is Infrastructure

We treat electricity as critical infrastructure, we treat water supply as critical infrastructure. We accept that if the power grid fails, society stops functioning. We accept that if the water supply is contaminated, it is a national emergency

But connectivity? Mobile networks? Internet access? We still treat these as consumer products, as services you shop for based on price and coverage maps

That distinction no longer holds. We cannot put the genie back in the bottle. We are as dependent on connectivity as we are on water, energy, and physical infrastructure. Every municipal service, every healthcare interaction, every financial transaction, every piece of critical communication flows through these networks. When a telecom provider is compromised for eighteen months and nobody notices, we are looking at an infrastructure failure

The EU understood this when drafting NIS2. The directive places digital infrastructure, including telecommunications, in the same “essential entity” category as energy, water, and healthcare (European Parliament, 2022). Same risk management obligations, same incident reporting timelines, same supply chain security requirements, same penalties…up to 10 million euros or 2 percent of global annual turnover

Norway is implementing this through the Digitalsikkerhetsloven and the updated Ekomloven, but the supervisory structure remains fragmented. Nkom oversees telecom, NSM handles broader cybersecurity, first NIS2-era audits will not begin until October 2026 (Nkom, 2026). We are building the framework, but we are building it slowly, and the attacks are not waiting for our regulatory timeline

No Room for Complacency

We will always have breaches, we will always have incidents. Perfect security does not exist, and pretending otherwise is dishonest. But there is a difference between a breach that is detected in days and contained in weeks, and one that festers for a year and a half while attackers methodically copy every file they can reach

The Telia breach is a symptom. This is what happens when IT security is treated as a cost centre until it becomes a crisis, and then suddenly everyone cares. When the assumption is “it probably will not happen to us,” right up until it does. When we do not hold the operators of our most critical infrastructure to the standards that their position demands

If it looks like a war, moves like a war, and causes damage like a war…it most certainly is one. It does not look like the wars we learned about in school, there are no rifles and no hand grenades. It is silent, it moves through our power grids, our mobile providers, our ISPs. One second everything is as it was the day before, the next you are trying to remember how things worked before we had connectivity

Call it alarmism if you want, Telia just demonstrated it at the cost of half a million Norwegians’ personal data

We need to do better. All of us

References

Bakke, S. (2024a) ‘I Norge liker vi Ã¥ hÃ¥ndtere cyberangrep: Vi bør bli bedre pÃ¥ Ã¥ forhindre dem!’, Stratagem, 19 May. Available at: stratagem.no

Bakke, S. (2024b) ‘Kinesiske cyberoperasjoner: alle samfunnets ressurser i bruk’, Stratagem, 29 September. Available at: stratagem.no

Bergens Tidende (2026) ‘Politiet og DSB omfattet av datainnbruddet hos Telia’, Bergens Tidende

CAC, MIIT and MPS (2021) Regulations on the Management of Security Vulnerabilities in Network Products. Effective 1 September 2021

Cary, D. and Del Rosso, K. (2023) Sleight of Hand: How China Weaponizes Software Vulnerability. Washington, DC: Atlantic Council. Available at: atlanticcouncil.org

Digi.no (2026a) ‘Telia kan ha vært hacket i 18 mÃ¥neder’, Digi.no, 3 March

Digi.no (2026b) ‘Datainnbruddet hos Telia: Rundt en halv million TV- og bredbÃ¥ndskunder rammet’, Digi.no, 4 March

Digi.no (2026c) ‘Telia-lekkasjen: 2000 terminalserver-kontoer tømt av hackere’, Digi.no, 5 March

European Parliament (2022) Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2). Annex I

IBM Security (2024) Cost of a Data Breach Report 2024. Armonk, NY: IBM Corporation. Available at: ibm.com

Mandiant (2025) M-Trends 2025. Google Cloud. Available at: cloud.google.com

Microsoft (2022) Microsoft Digital Defense Report 2022. Redmond, WA: Microsoft Corporation. Available at: microsoft.com

Nkom (2026) ‘Varsler tilsyn med Telia etter datainnbrudd’, Nasjonal kommunikasjonsmyndighet, 25 February

NRK (2026) ‘StjÃ¥lne data fra Telia lagt ut pÃ¥ det mørke nettet’, NRK

Telia Norge (2026) Official breach disclosure. Available at: telia.no

Thomas A. Kleppestø FTRCRP: Technology with intention ftrcrp.org