Chinese Salt Typhoon Infiltrated US National Guard Network for Months

A sophisticated Chinese APT group, Salt Typhoon, successfully infiltrated the US state’s Army National Guard network for nearly a year, from March 2024 to December 2024. This breach, detailed in a Department of Homeland Security (DHS) memo from June,

While this raises concerns about the security of the US military and critical infrastructure systems, the attack is not entirely unexpected. As reported by Hackread.com, infostealers, available for as little as $10, have already compromised highly sensitive systems belonging to the US military and even the FBI.

The DHS memo, which obtained its information from a Department of Defense (DOD) report and was later shared with NBC News through a freedom of information request by the national security transparency non-profit Property of the People, revealed that Salt Typhoon “extensively compromised” the network. While the specific state was not named, the attack allowed the hackers to collect vital information.

Deep Compromise and Data Theft

During their prolonged access, Salt Typhoon managed to gather sensitive data, including network configurations and details of data traffic with National Guard units in every other US state and at least four US territories. Critically, this stolen information also contained administrator credentials and network diagrams, which could be used to facilitate future attacks on other National Guard units.

The data stolen also included geographic location maps and personally identifiable information (PII) of service members. In some 14 states, National Guard units work closely with “fusion centres” for intelligence sharing, meaning the breach could have a wider impact, the memo noted.

Salt Typhoon- A Persistent Threat

It is worth noting that Salt Typhoon (aka GhostEmperor, FamousSparrow, Earth Estries and UNC2286) has a history of targeting US government and critical infrastructure sectors, including energy, communications, transportation, and water systems.

As Hackread.com previously reported, in November 2024, Salt Typhoon was linked to a significant hack of T-Mobile, highlighting vulnerabilities in telecom systems. So far, the group has compromised at least eight major US internet and phone companies, including AT&T and Verizon.

These access points were reportedly used to monitor communications of prominent political figures, including the Harris and Trump presidential campaigns and Senate Majority Leader Chuck Schumer’s office.

A June 2025 advisory from the FBI and Canada’s Cyber Centre warned of Salt Typhoon’s global campaign against telecom networks, exploiting vulnerabilities like CVE-2023-20198 in devices to steal data and maintain hidden access.

Implications

Given the complex nature of National Guard units, which operate under both federal and state authority, the incident may create more points for possible cyberattacks. The Department of Defence has not commented on the specifics, but a National Guard Bureau spokesperson confirmed the compromise, noting it hasn’t affected their missions.

“DHS is continuing to analyse these types of attacks and is coordinating closely with the National Guard and other partners to prevent future attacks and mitigate risk,” a DHS spokesperson said.

Meanwhile, China’s embassy in Washington spokesperson did not deny the campaign but emphasized that the US lacks conclusive evidence linking Salt Typhoon to the Chinese government. Nevertheless, cybersecurity experts recommend hardening network devices, implementing stronger password policies, and enabling strong encryption to counter such threats.

“Volt Typhoon is focused on prepositioning for disruption, and creating a deterrent effect based on this, whilst Salt Typhoon is focused on positioning for intelligence gathering,” said Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity. 

“An intrusion on a National Guard isn’t a ‘military only’ operation. States regularly engage their National Guard to assist with the cyber defense of civilian infrastructure. As a target, they would be a rich source of all kinds of useful intelligence,” Casey argued.

“Intelligence informs action, so while the Volt Typhoon announcement is encouraging, it’s important to remember that we are basically playing a giant game of whack-a-mole here. Vigilance and continuing efforts towards resilience are key for domestic defenders of all types,” he advised.