Chinese-backed APT group Salt Typhoon extensively compromised a US state’s Army National Guard network for nine months, stealing sensitive military data and gaining access to networks in every other US state and at least four territories, according to a Department of Homeland Security memo that warned the breach could facilitate attacks on critical infrastructure nationwide.
The DHS memo, dated June 11, said that between March and December 2024, Salt Typhoon “extensively compromised a US state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories.”
The document was obtained by the national security transparency nonprofit Property of the People and first reported by NBC News. Previously, Salt Typhoon has been linked to several extensive espionage campaigns against US critical infrastructure, including breaches of major telecommunications companies such as AT&T, Verizon, and Lumen Technologies.
“The National Guard is aware of recent Department of Defense and Department of Homeland Security reporting regarding the Peoples Republic of China-affiliated hacking group, Salt Typhoon, and their targeting of Army National Guard networks between March and December 2024,” a National Guard’s spokesperson said. “While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope. We are taking this matter extremely seriously. Security protocols are in place to mitigate further risk and contain any potential data compromises, and the response is ongoing. We are coordinating closely with DHS and other federal partners.”
Part of a broader campaign against critical infrastructure
The National Guard breach represents part of a much larger Salt Typhoon campaign targeting the US government and critical infrastructure entities. According to the memo, “In 2023 and 2024, Salt Typhoon also stole 1,462 network configuration files associated with approximately 70 US government and critical infrastructure entities from 12 sectors, including Energy, Communications, Transportation, and Water and Wastewater.”
These configuration files pose a significant threat because they “could enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks,” the document explained.
The breach poses particular risks to US cybersecurity defenses due to the National Guard’s dual federal-state role and extensive connections to local government systems. The memo warned that “Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure.”
This concern is heightened by the fact that “in some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information — including cyber threats,” the memo noted. In at least one state, “the local Army National Guard unit directly provides network defense services,” making the breach particularly concerning for critical infrastructure protection.
Sensitive military data stolen
The attackers gained access to highly sensitive military and infrastructure information during the nine-month intrusion. The memo stated that “in 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.”
Beyond the immediate data theft, the memo warned that Salt Typhoon’s access to these networks “could include information on state cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel—data that could be used to inform future cyber-targeting efforts.”
The compromise “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the memo noted.
Established pattern of exploitation
Salt Typhoon has demonstrated a consistent methodology of using stolen network data to enable follow-on attacks. The memo noted that “Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere.”
Specifically, “Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US government and critical infrastructure entities, including at least two US state government agencies. At least one of these files later informed their compromise of a vulnerable device on another US government agency’s network.”
The memo explained that access to configuration files “can provide a threat actor with sensitive information like credentials, network topology details, and security settings they need to gain and maintain access, as well as to exfiltrate data.”
The document warned of serious consequences if Salt Typhoon succeeded in compromising state-level cybersecurity partners, stating it “could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.”
This threat is particularly concerning given the interconnected nature of state and federal cybersecurity operations, where a breach in one system can potentially cascade across multiple networks and jurisdictions.
Technical methods and vulnerabilities
The memo provided technical details about Salt Typhoon’s attack methods, noting that since 2023, the group “has exploited a number of different common vulnerabilities and exposures (CVEs) using a range of leased internet protocol (IP) addresses to mask its activity.”
The document included specific CVEs exploited by the group, including CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400, along with associated malicious IP addresses.
For defense against such attacks, the memo recommended that “network defenders should follow best practices to harden their network devices against cyber exploitation and to maintain proper auditing and logging of network activity.”
The memo’s release comes as the Trump administration disbanded the Cyber Safety Review Board, which had been investigating Salt Typhoon’s attacks on American telecommunications companies, potentially limiting ongoing oversight of the threat. The document warned that Salt Typhoon’s success in compromising National Guard networks could have far-reaching consequences for the US’s ability to defend critical infrastructure during a crisis or conflict with China.
No Responses