National Guard Was Hacked by China’s Salt Typhoon, Maintaining Access for Almost 1 Year

• Prolonged access: Salt Typhoon gained extensive access to the National Guard’s internal network for nearly a year.
• Extended compromise: The attackers may have obtained sensitive information related to military or law enforcement operations.
• Stolen details: Administrator credentials, network traffic diagrams, maps, and employee PII were exfiltrated.

Salt Typhoon, a known Chinese cyberspy group, infiltrated a U.S. state’s Army National Guard network from March 2024 to December 2024. This breach was part of a larger cyberespionage campaign, accessing network traffic and exfiltrating sensitive data.

The incident was revealed in a newly released Department of Homeland Security (DHS) memo from June, obtained by CNN via a freedom of information request submitted by the national security transparency nonprofit Property of the People. 

Timeline and Breach Details  

While the exact state targeted remains undisclosed, investigators confirmed that the Salt Typhoon hackers accessed administrator credentials, network diagrams, and maps – and possibly information on state cyber defense posture and the personally identifiable information (PII) and work locations of state cybersecurity employees.

The attackers collected the Army National Guard’s “network configuration and its data traffic with its counterparts’ networks in every other U.S. state and at least four U.S. territories,” according to a DOD report mentioned in the DHS memo.

The report says the Army National Guard directly provides network defense services in at least one state to state-level intelligence-sharing hubs called fusion centers, which are responsible for sharing threat information – and this would be a rich source of intel, Casey Ellis, Founder at Bugcrowd, agrees.

Implications for Cybersecurity  

Salt Typhoon, suspected of being linked to the Chinese government, has a record of conducting persistent cyber operations to gather military and political intelligence, and the attack could be a part of the ongoing geopolitical tensions.   

Such military units are not legitimate targets since the U.S. and the PRC are not currently at war, and these “adversaries do not respect the Law of Armed Conflict and are fully prepared to target civilian infrastructure, albeit illegally,” commented Bryan Cunningham, President at Liberty Defense and a former White House lawyer and career CIA officer.

Cunningham suggests that cyber activity from the PRC, Russia, and Iran may grow more frequent, with the U.S. likely to remain a key target. Still, both he and Ellis describe the ongoing threat environment as a kind of digital whack-a-mole where emerging threats are quickly replaced by new ones, and defenders are left in a constant state of vigilance.

The threat actor is focused on positioning for intelligence gathering, as Ellis believes, and has been implicated in previous campaigns targeting major U.S. entities, such as telecommunications companies. 

In November 2024, TechNadu reported that Salt Typhoon had compromised AT&T, Verizon, and Lumen Technologies and accessed communications belonging to U.S. government officials. Viasat was added to the list in January, when the U.S. Treasury Department sanctioned alleged hacker Yin Kecheng and Sichuan Juxinhe Network Technology Company, Ltd. for their connections with Salt Typhoon.