DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams
Officials with both the National Guard Bureau and the Department of Homeland Security (DHS) confirmed to MeriTalk today that the China-based Salt Typhoon hacking group targeted National Guard networks for attacks between March and December 2024.
These attacks have potentially far-reaching implications for the security of other National Guard unit networks and critical infrastructure entities that the guard helps to protect.
Both agencies indicated that the attacks targeted multiple National Guard networks, and that they have been working on steps to mitigate the impact of the attacks.
A report from NBC News last night broke the news of the attacks, and cited as a primary source of its reporting a June 11 memo from DHS’s Office of Intelligence and Analysis detailing the Salt Typhoon attacks. That memo lays out how extensive the blast radius of the attack may have been.
“A recent compromise of a US state’s Army National Guard network by People’s Republic of China (PRC)-associated cyber actors – publicly tracked as Salt Typhoon – likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS memo says.
“If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict,” the DHS memo warns.
The memo also offers guidance to help the National Guard and state governments to detect, prevent, and mitigate against threats emanating from the Salt Typhoon attacks.
The DHS memo goes on to say that that the Salt Typhoon attacks “extensively compromised” the unnamed state National Guard’s network, “and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD [Defense Department] report.”
“This data also included these networks’ administrator credentials and network diagrams – which could be used to facilitate follow-on Salt Typhoon hacks of these units,” the memo says.
“Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere,” the memo says, adding, “Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US government and critical infrastructure entities, including at least two US state government agencies. At least one of these files later informed their compromise of a vulnerable device on another US government agency’s network.”
“Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure,” the memo warns, adding, “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information – including cyber threats. In at least one state, the local Army National Guard unit directly provides network defense services.”
“DHS regularly communicates threat information with its partners and in June shared an update on the People’s Republic of China-affiliated hacking group, Salt Typhoon, targeting National Guard networks between March and December 2024,” a DHS spokesperson said today.
“DHS is continuing to analyze these types of attacks and is coordinating closely with the National Guard and other partners to prevent future attacks and mitigate risk,” the spokesperson said.
“The National Guard is aware of recent Department of Defense and Department of Homeland Security reporting regarding the Peoples Republic of China-affiliated hacking group, Salt Typhoon, and their targeting of Army National Guard networks between March and December 2024,” a spokesperson for the National Guard Bureau told MeriTalk today.
“While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.
“We are taking this matter extremely seriously,” the spokesperson said. “Security protocols are in place to mitigate further risk and contain any potential data compromises, and the response is ongoing. We are coordinating closely with DHS and other federal partners.”
At least one private sector cybersecurity expert reacted with considerable alarm to the news.
“Salt Typhoon’s compromise of the US National Guard is a significant event and potentially poses a serious threat to many Department of Defense systems,” said Gary Barlet, Illumio’s public sector chief technology officer.
“Going forward, all US forces must now assume their networks are compromised and will be degraded,” Barlet warned.
This isn’t the first breach of Department of Defense systems we’ve seen,” Barlet said. “There have been numerous instances across both the public and private sector where sensitive information has been compromised and critical systems accessed via lateral movement.”
“In fact, the Ponemon Institute highlighted that 55% of organizations admitted a compromised device had infected other devices on the network,” he said.
“The ability of groups such as Salt Typhoon to move laterally across different units and systems is why government agencies must accelerate Zero Trust adoption and go even further with a breach containment strategy,” Barlet emphasized. “It is critical that services and data remain secure even when attackers have compromised a section of the network.”
The Salt Typhoon and related Volt Typhoon hacking groups backed by the Chinese government have emerged in recent years as sophisticated threat actors. Earlier this year, a U.S. intelligence community report said that the PRC poses the biggest cyber threat to the United States. source
An elite Chinese cyberspy group hacked at least one state’s National Guard network for nearly a year, the Department of Defense has found.
The hackers, already responsible for one of the most expansive cyberespionage campaigns against the U.S. to date, are alleged to have burrowed even further than previously known and may have obtained sensitive military or law enforcement information. Authorities are still working to discover the extent of the data accessed.
A Department of Homeland Security memo from June, describing the Pentagon’s findings, said that the group, publicly known by the nickname Salt Typhoon, “extensively compromised a U.S. state’s Army National Guard network” from March 2024 through December. The memo did not say which state.
The report was provided to NBC News through the national security transparency nonprofit Property of the People, which obtained it through a freedom of information request.
The Department of Defense didn’t respond to a request for comment. A National Guard Bureau spokesperson confirmed the compromise but declined to share details.
“While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.
A spokesperson for China’s embassy in Washington did not deny the campaign but said the U.S. has failed to prove China is behind the Salt Typhoon hacks.
“Cyberattacks are a common threat faced by all countries, China included,” the spokesperson said, adding that the U.S. “has been unable to produce conclusive and reliable evidence that the ‘Salt Typhoon’ is linked to the Chinese government.
Salt Typhoon is notorious even by the standards of China’s massive cyberspy efforts because of its ability to jump from one organization to another. Last year, U.S. authorities found that it had hacked at least eight of the country’s largest internet and phone companies, including AT&T and Verizon, using access to spy on the calls and text messages of both the Harris and Trump presidential campaigns, as well as the office of then-Senate Majority Leader Chuck Schumer.
While part of the Department of Defense, National Guard units are also under the authority of their states; some are deeply integrated with local governments or law enforcement, which may have given the Salt Typhoon hackers the ability to compromise other organizations.
The hack “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS report found. The National Guard in 14 U.S. states work with law enforcement “fusion centers” to share intelligence, the DHS memo notes. The hackers accessed a map of geographic locations in the targeted state, diagrams of how internal networks are set up, and personal information of service members, it said.
In January, the Treasury Department — also a recent target of alleged Chinese hacking — sanctioned a Sichuan company for allegedly helping Beijing’s Ministry of State Security conduct Salt Typhoon operations.
Salt Typhoon can be pernicious and hard to root out once the hackers take hold. In the AT&T case, the company announced in December that it appeared as if they were no longer being affected and Verizon said in January it had “contained” the incident. Both companies stopped short of saying they were fully protected from the hackers returning. A report from Cisco said that, in at least one instance, Salt Typhoon hackers remained in an affected environment for up to three years. source
DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams
A U.S. Department of Homeland Security (DHS) memo circulated in June revealed that a Chinese cyberespionage group known as Salt Typhoon ‘extensively compromised a U.S. state’s Army National Guard network over nine months in 2024. The memo, which cites findings from the Department of Defense, said the breach lasted from March through December and did not specify which state was targeted. It also revealed that the stolen data included administrator credentials and detailed network diagrams, basically information that could enable Salt Typhoon hackers to carry out follow-on attacks against the compromised installations.
The memo, however, noted that “If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.”
The DHS also identified that in 2023 and 2024, Salt Typhoon also stole 1,462 network configuration files associated with approximately 70 U.S. government and critical infrastructure entities from 12 sectors, including energy, communications, transportation, and water and wastewater sectors. “These configuration files could enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks, according to CISA reporting and NSA guidance.”
Salt Typhoon, already tied to some of the most aggressive cyber operations against the U.S., is now believed to have gained deeper access than previously known, raising concerns that the hackers may have obtained sensitive military or law enforcement information. Federal officials are still investigating the extent of the data exposure.
A National Guard Bureau spokesperson confirmed the compromise to NBC News, but declined to share details. “While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.
The DHS revealed that between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including at least two U.S. state government agencies. At least one of these files later informed them of a compromise of a vulnerable device on another U.S. government agency’s network.
It added that Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure. “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information—including cyber threats. In at least one state, the local Army National Guard unit directly provides network defense services.”
The memo also identified that Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture, as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel data that could be used to inform future cyber-targeting efforts.
According to DOD reporting, in 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.
The DHS memo surfaces as senior cybersecurity officials from the National Security Agency and the FBI report progress in disrupting Chinese cyber campaigns targeting U.S. critical infrastructure.
Speaking Tuesday at the International Conference on Cyber Security at Fordham University in New York City, experts detailed Beijing’s so-called Typhoon campaigns, where coordinated efforts involving both Chinese government entities and private sector actors aimed at infiltrating U.S. government agencies and critical infrastructure installations.
Kristina Walter, director of the NSA’s Cybersecurity Collaboration Center, focused on Volt Typhoon, an effort by Chinese actors to preposition themselves on U.S. critical infrastructure for disruptive or destructive cyberattacks in the event of a kinetic conflict centered around Taiwan.
“The good news is, they really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign,” she said.
“We, with private sector, with FBI, found them, understood how they were using the operating systems, how they’re using legitimate credentials to maintain persistence, and frankly, we equipped the entire private sector and U.S. government to hunt for them and detect them.”
Walter did not offer further details about those efforts. She said that after the NSA and other agencies released a public advisory in 2024, owners of critical infrastructure reached out to them to confirm that they had found evidence of Volt Typhoon and ask for help.
Brett Leatherman, who was recently appointed assistant director for cyber at the FBI, echoed those remarks and noted that Volt Typhoon was specifically focused on critical infrastructure centered around the U.S. Navy, particularly in island communities like Guam.
He said U.S. efforts to shine a light on the campaign forced Chinese actors to pull back, adapt their tactics, and burn previous methods they used to breach critical infrastructure systems. The publicity fostered by U.S. agencies forced Chinese groups to come up with new ways to breach organizations while also providing ways for private industry to better defend itself.
“Even if you’re not dismantling that network — we’re never going to dismantle the CCP hacking apparatus — but if you can bring real relief to victims, you’re also protecting national security by doing that, and that’s why public attribution is so important when it comes to PRC hacking activity,” he said.
Commenting on the DHS memo, Ensar Seker, CISO at SOCRadar, wrote in an emailed statement that the revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain.
“This isn’t just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence. The group’s sustained presence suggests they were gathering more than just files, they were likely mapping infrastructure, monitoring communication flows, and identifying exploitable weak points for future use,” according to Seker. “What’s deeply concerning is that this activity went undetected for so long in a military environment. It raises questions about visibility gaps, segmentation policies, and detection capabilities in hybrid federal-state defense networks.”
He added that it’s another reminder that advanced persistent threat actors like Salt Typhoon are not only targeting federal agencies but also state-level components, where the security posture might be more varied.
“In a time where we are often fooled into thinking cybercrime means somebody telling us that we missed jury duty, or convincing our loved ones of a long-distance romantic relationship, we sometimes miss the fact that this is more than a game and is played at the nation state level,” Erich Kron, security awareness advocate at KnowBe4, wrote in an emailed statement. “Cybercrime has real dangers for real people and real governments as well. The Typhoon groups, several different alleged Chinese-backed cybercrime groups that carry the ‘Typhoon’ moniker as part of their name, have been known to be very stealthy and very effective. While this was at the state level with the National Guard, it still goes to demonstrate that even our military forces are at risk from these cybercrime groups.”
He added that “These criminal groups must be taken seriously, which means that everyone from senior government leadership to the average citizen needs to be at least somewhat aware of the threats, how to spot them, and who to report them to. Whether it’s stealing money from individuals to fund other operations or trying to cripple infrastructure through cyberattacks, these bad actors are a clear and present danger.” source
Major US telecom hack prompts security push after Salt Typhoon attack
Officials urge stronger defences after Chinese hackers infiltrated major US telecom networks.
Lawmakers have called for urgent measures to strengthen US telecommunications security following a massive cyberattack linked to China. The hacking campaign, referred to as Salt Typhoon, targeted American telecom companies, compromising vast amounts of metadata and call records. Federal agencies have briefed Congress on the incident, which officials say could be the largest telecom breach in US history.
Senator Ben Ray Luján described the hack as a wake-up call, urging the full implementation of federal recommendations to secure networks. Senator Ted Cruz warned of future threats, emphasising the need to close vulnerabilities in critical infrastructure. Debate also surfaced over the role of offensive cybersecurity measures, with Senator Dan Sullivan questioning whether deterrence efforts are adequate.
The White House reported that at least eight telecommunications firms were affected, with significant data theft. In response, Federal Communications Commission Chairwoman Jessica Rosenworcel proposed annual cybersecurity certifications for telecom companies. Efforts to replace insecure Chinese-made equipment in US networks continue, but funding shortfalls have hampered progress.
China has dismissed the allegations, claiming opposition to all forms of cybercrime. However, US officials have cited evidence of data theft involving companies like Verizon, AT&T, and Lumen. Congress is set to vote on a defence bill allocating $3.1 billion to remove and replace vulnerable telecom hardware. source