A prolific Chinese hacking unit’s breach into National Guard networks poses a serious threat to Defense Department systems and is a major escalation of the group’s initial breach into core telecom networks first uncovered last year, according to experts.
A Department of Homeland Security memo summarizing Pentagon findings said the group—known publicly as Salt Typhoon—“extensively compromised a U.S. state’s Army National Guard network” between March and December 2024. The state was not named.
Salt Typhoon also “collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories,” says the memo, citing a DOD report. “This data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units.”
The June 11 memo produced by the DHS Office of Intelligence and Analysis was first reported by NBC News, which obtained it through a Freedom of Information Act request filed by the national security transparency nonprofit Property of the People.
Between January and March of last year, Salt Typhoon also “exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including at least two U.S. state government agencies,” it notes.
It later adds: “In 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state and [personally identifiable information] of its service members, according to DOD reporting.”
Salt Typhoon breached major telecom carriers in a global, multi-year espionage campaign uncovered last year. Over time, news has trickled out about the scope and scale of the incident, which was first reported last September by The Wall Street Journal.
The hacking unit is part of a broader syndicate of state-backed groups tied to different military and intelligence arms of China’s central government. The “Typhoon” moniker comes from a Microsoft naming convention for Beijing-linked cyber actors.
“Salt Typhoon’s compromise of the U.S. National Guard is a significant event and potentially poses a serious threat to many Department of Defense systems,” said Gary Barlet, a former Air National Guard servicemember and former chief information officer at the U.S. Postal Service.
“Going forward, all U.S. forces must now assume their networks are compromised and will be degraded,” added Barlet, now public sector CTO at cloud computing security firm Illumino.
Despite the intrusion being at just the state level, it indicates that U.S. armed forces are still in the crosshairs of hackers, said Erich Kron, a security awareness advocate at KnowBe4.
“As we’ve seen in several recent conflicts, cyberattacks play a critical role in military actions, often being coordinated with boots-on-the-ground actions as well. This is just another example of the trouble [the Typhoon groups] can cause and danger that they pose.”
Ensar Seker, CISO at threat intelligence firm SOCRadar, said he is concerned about how long Salt Typhoon dwelled in the National Guard systems undetected.
“The revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain,” he said. “It raises questions about visibility gaps, segmentation policies and detection capabilities in hybrid federal-state defense networks. It’s another reminder that advanced persistent threat actors like Salt Typhoon are not only targeting federal agencies but also state-level components where the security posture might be more varied.”
In 2022, the National Guard awarded a $15 million contract to AT&T to modernize GuardNet, the internal network that provides Army Guard soldiers with access to the internet and other platforms. AT&T is among several U.S. telecom providers previously breached by Salt Typhoon, though it remains unclear whether any components of GuardNet were used as a vector in the intrusion.
“Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure,” the DHS memo reads. “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information—including cyber threats.”
Fusion centers are localized intelligence hubs that bring together personnel and information from federal agencies, as well as state and local governments.
“In at least one state, the local Army National Guard unit directly provides network defense services,” the memo says.
Read the full article here