| The Record from Recorded Future News
therecord.media
Alexander Martin
February 6th, 2026
Norwegian intelligence discloses country hit by Salt Typhoon campaign
Norway’s domestic security agency confirmed Friday that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations.
The disclosure was made in the Norwegian Police Security Service’s (PST) annual threat assessment for 2026. The agency’s director general, Beate Gangås, said Norway was “facing its most serious security situation since World War II,” citing pressure from multiple foreign intelligence services.
Salt Typhoon is the name U.S. and allied authorities use for a Chinese cyber espionage campaign that has focused heavily on breaching telecommunications and other critical infrastructure. In its report, PST said the actor has exploited vulnerable network devices in Norway.
Gangås said foreign states — particularly China, Russia and Iran — are “conducting intelligence operations and employing hybrid tactics in Norway to undermine our resilience,” stressing the “vital” need for stronger protective security, intelligence and situational awareness.
The assessment said Chinese security and intelligence services have strengthened their ability to operate in Norway, including through cyber operations and human intelligence collection, adding that “the primary intelligence threat from China is in the cyber domain.”
China is described as posing a “substantial” threat and is expected to continue improving its efforts to collect intelligence and map Norwegian digital infrastructure.
PST also warned that China is “systematically” exploiting collaborative research and development projects to bolster its own military capacity and security capabilities.
Salt Typhoon has been linked to significant breaches of telecommunications providers and other critical infrastructure abroad. U.S. officials have said the campaign allowed attackers to intercept communications linked to senior political figures during the 2024 presidential race, including Donald Trump and JD Vance.
Last year, more than a dozen allied countries issued a joint advisory blaming three Chinese technology companies for enabling the espionage campaign, saying the intrusions were used to track the communications and movements of specific targets.
While China dominates the cyber threat picture, PST said Russia remains the principal overall threat to Norway’s security. The agency cited sustained espionage, mapping of critical infrastructure, pressure on Ukrainian refugees, covert intelligence operations using civilian vessels and the risk of sabotage.
Russian intelligence has been “closely monitoring military targets and allied activities and capabilities in Norway for many years,” the report said, adding that the tense geopolitical situation in Europe is likely to drive increased activity.
PST said it expects that to include more Russian cyber operations, influence campaigns and attempts to recruit sources via digital platforms in 2026, describing cyber activity as an integral part of Moscow’s broader intelligence effort alongside traditional espionage and influence work.
“The tense geopolitical situation in Europe means that Russian intelligence has several areas of interest in relation to Norway and other NATO countries. Given the increase in military targets on Norwegian soil, the stronger allied presence, and additional military exercises, we anticipate heightened activity from Russian intelligence services,” the agency added.
Iranian intelligence services are also expected to carry out intelligence and influence operations in Norway, the PST said, warning the regime may attempt to target Western interests through property damage, targeted assassinations, terrorist acts or destructive cyber operations.
The PST said the assessment underlines the need for closer cooperation between authorities and the private sector, particularly operators of critical infrastructure, as foreign intelligence services increasingly combine cyber operations with more traditional espionage and influence campaigns.
BridgePay Network Solutions's Status Page - BridgePay Gateway - Outage - Under Investigation.
Update
We are continuing to work with our internal teams and external partners to address the issue.
At this time, we do not have any new information to share. We understand the impact this disruption may have and sincerely appreciate your patience as our teams continue their work.
We will provide another status update tomorrow with any new information available.
Posted 12 hours ago. Feb 08, 2026 - 18:06 EST
Update
At this time, there is no new confirmed information to report. Our teams, along with federal authorities and cybersecurity specialists, are working diligently on forensic analysis, system security, and recovery planning. Restoration efforts are actively underway, and all work is being conducted with care to ensure systems are brought back online safely and securely. We not have an ETA on when this process will be completed. Because of the nature of attack - ransomware - we are still in the early stages of this process.
We do want to reiterate this was not a card data breach. No card data was compromised and any file that may have been accessed was encrypted.
We understand the disruption this causes and truly appreciate your continued patience, support, and understanding during this process.
We remain committed to transparent communication and will provide further updates as soon as meaningful new information becomes available.
Posted 2 days ago. Feb 07, 2026 - 16:14 EST
Update
We want to provide a further update regarding the cybersecurity incident affecting our systems.
It is very unfortunate that we are all facing this situation in today’s world, and we are deeply grateful for the patience, understanding, and support we have received — especially from our partners, who have offered assistance and expertise during this time.
We can now confirm that this incident was the result of a ransomware attack. As previously noted, we have engaged both local and federal authorities, along with specialized forensic and recovery teams, to assist with investigation, containment, and system restoration. We are also working closely with leading cybersecurity firms to restore operations as quickly and safely as possible.
Initial forensic findings indicate that no payment card data has been compromised, and any files that may have been accessed were encrypted. At this time, there is no evidence of usable data exposure.
We recognize that recovery may be a lengthy process, and we are working with urgency and diligence to restore systems and services in a secure and responsible manner. Our priority remains protecting our customers, partners, and operations.
We will continue to provide updates as restoration efforts progress and additional verified information becomes available.
Thank you again for your patience, trust and continued support.
Posted 2 days ago. Feb 06, 2026 - 19:08 EST
Identified
At this time, our systems are temporarily unavailable. We are actively working with the U.S. Secret Service forensic team and cybersecurity professionals to secure our environment and obtain clearance to access our systems so we can fully assess the scope of the incident. This will allow us to better understand the extent of the impact and determine the appropriate restoration and recovery process.
Please know that this matter is being treated with the highest priority, and every available resource is being dedicated to resolving the situation safely and responsibly. We do not believe there is a threat or vulnerability for our integrators at this time.
We sincerely appreciate your patience and understanding during this time. We will provide updates as soon as new information becomes available and as restoration efforts progress.
Thank you for your continued trust and support.
Posted 3 days ago. Feb 06, 2026 - 12:00 EST
Update
We are currently experiencing a system-wide service disruption. We have identified that this outage is related to a cybersecurity incident and are actively investigating with our internal teams and external specialists including the FBI.
At this time, we do not have an estimated timeframe for full restoration of services. Our teams are working diligently to assess the impact, contain the issue, and restore systems as quickly and safely as possible.
We will provide additional updates as more information becomes available. We appreciate your patience and understanding during this time.
Posted 3 days ago. Feb 06, 2026 - 06:34 EST
Investigating
BridgePay systems are currently experiencing an outage.
Our team is engaged and investigating the cause.
Expected time for resolution is unknown at this time.
Posted 3 days ago. Feb 06, 2026 - 05:48 EST
This incident affects: PathwayLink Gateway (T-Gate) - Production (Gateway.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink Boarding Portal), PathwayLink (T-Gate) UAT - Certification Environment (GatewayStage.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink UAT Boarding Portal), BridgePay Gateway - Production (BridgePay Gateway API - BridgeComm, PayGuardian Cloud API, MyBridgePay Portal - Virtual Terminal and Reporting, BridgePay Gateway WebLink 3.0 - Hosted Payment Page), BridgePay UAT - Certification Environment (BridgePay UAT API - BridgeComm, PayGuardian Cloud UAT API, MyBridgePay UAT Portal - Virtual Terminal and Reporting, BridgePay UAT WebLink 3.0 - Hosted Payment Page), and BridgePay Support (BridgePay Integration Support Portal, BridgePay Phone Support, BridgePay Email Support).
SmarterTools Derek Curtis - 03/02/2026 à 15:45
As promised, we wanted to provide additional information regarding the network breach we experienced last Thursday (January 29, 2026), along with summaries of our releases and what we have observed both on our servers and when working with SmarterMail customers who have been compromised.
Our Network Breach
Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network. Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.
We isolate our networks, as is best practice, in the event of a breach. Because of this segmentation, our website, shopping cart, My Account portal, and several other services remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.
As for what was affected, it was the network at our office and at another data center which primarily had various labs where we do much of our QC work, etc. At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory. We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old.
Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts. None of the Linux servers were affected.
When we first noticed the breach, we instantly shut off all servers at the two locations and we disabled all internet until we completely evaluated all aspects of the breach and either eliminated servers and/or restored servers to be safe.
As a result of all this, our networks look very different than before. We have eliminated Windows from our networks where we could and we no longer use Active Directory services. Our policy in these scenarios is to replace passwords throughout our network as well.
Another thing to note, Sentinel One did a really good job detecting vulnerabilities and preventing servers from being encrypted. We use multiple virus vendors but we saw great results with Sentinel One and wanted to throw a shout out to them and encourage customers to take a look. Any virus scanner you do run on a SmarterMail server, please be sure to look at our knowledge base article on exclusions so you do not corrupt any files. Please review here: https://portal.smartertools.com/kb/a3249/virus-scanner-exceptions-for-smartermail.aspx#
We hope this helps customers understand the scope of the breach and what steps we took. More info on what we saw and what we are seeing on customers’ servers that have been compromised are included below.
Recent SmarterMail Releases
As mentioned in our previous emails, Build 9518 (January 15, 2026) contains all fixes related to the CVEs that were announced. Build 9526 (January 22, 2026) complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.
It remains challenging to ensure all customers keep their installations up to date. Every build we release has significance. Even smaller security updates can help prevent issues such as denial-of-service attacks that might otherwise consume excessive server memory or CPU, etc.
Email remains as critical today as ever, and threats against mail servers are as high as they have ever been. The attacks are constantly evolving and technologies are constantly changing, and SmarterTools must make changes that are not always appreciated or understood. Examples include the deprecation of TLS 1.0/1.1 in favor of TLS 1.2 and above, the enforcement of SPF, DKIM, and DMARC requirements by major email providers, and other evolving standards.
Moving forward, we are continuing to audit all of our products and we will continue working with security companies and independent researchers if/when they find bugs or other issues. We are making continual updates—no matter how small—to ensure our products are as secure and optimized as possible.
As of now, there are no major known security issues with SmarterMail.
In addition, we are making a concerted effort to improve transparency in how we communicate security updates. This situation is unprecedented in our company’s history, and we are learning a great deal from it—with the help of our customers. While we do not anticipate a recurrence, we will approach any future incident even more proactively and effectively than we have.
Malicious Behaviors We Have Seen
As you can imagine, we have been working extensively with customers whose systems were vulnerable to attack. We were compromised by a group known as the Warlock Group, and we have observed similar activity on customer machines.
Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.
They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.
Common folders used:
Public folders
AppData
ProgramData
SmarterTools \ SmarterMail directories
Common file names and programs observed:
Velociraptor
JWRapper
Remote Access
SimpleHelp
WinRAR (specifically older, vulnerable versions)
Run.exe
Run.dll
main.exe
Short, random filenames such as e0f8rM_0.ps1 or abc...
Random .aspx files
Other indicators:
Unusual local users or administrators
Suspicious startup items
Newly created or modified scheduled tasks
It is also important to note that CVEs are being discovered across many different products. Some groups install legitimate-looking applications on servers and later exploit. For example, the Warlock Group frequently targets CVE’s in SharePoint and Veeam and has now targeted SmarterMail. Recent Notepad++ update vulnerabilities are another example of how trusted applications can be leveraged to further exploit systems, servers, and desktops.
Based on our observations, the Warlock Group primarily targets Windows environments. We are now primarily a Linux-based company and found no Linux servers exposed to compromise.
A Final Word
We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments. We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.
Finally, we continue to experience elevated support volumes, but response times are improving and are now measured in hours rather than days.
Derek Curtis
CCO
SmarterTools Inc.
www.smartertools.com
