Chinese APT compromises U.S. Army National Guard network
Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network
July 16, 2025
China-linked APT Salt Typhoon breached a U.S. Army National Guard unit’s network, accessed configs, and intercepted communications with other units.
A DoD report warns that China-nexus hacking group Salt Typhoon breached a U.S. state’s Army National Guard network from March to December 2024. The APT stole network configs, admin credentials, and data exchanged with units across all U.S. states and several territories. This info could help future hacks and weaken state-level defenses against Chinese cyberattacks during crises, posing serious risks to U.S. critical infrastructure.
“A recent compromise of a US state’s Army National Guard network by People’s Republic of China (PRC)-associated cyber actors—publicly tracked as Salt Typhoon—likely provided Beijing with data that could facilitate thehacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners. If thePRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecuritypartners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.” reads a report first seen by NBC News.
The report includes details on the tactics, techniques and procedures (TTPS) used by Salt Typhoon, along with a guidance to help National Guard and state governments detect, prevent, and mitigate this threat.
“Between March and December 2024, Salt Typhoon extensively compromised a US state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report.” continues the report. “This data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units”
Government’s report warns that Salt Typhoon’s breach of a state’s Army National Guard network poses a major threat to U.S. cyber defenses. The group stole admin credentials, network diagrams, and PII of service members, potentially impacting cybersecurity staff in multiple states. With Guard units integrated into fusion centers in 14 states, this access could expose critical infrastructure defenses and help guide future Chinese cyberattacks targeting state-level cyber personnel and operations.
The nation-state threat actor, tracked as Salt Typhoon, was previously accused of hacking US telecommunications giants AT&T and Verizon, along with Lumen Technologies and other service providers in the US and abroad, to compromise wiretap systems.
Last month, the Canadian Centre for Cyber Security and the FBI warned that the APT had also targeted telecom providers in Canada, stealing call records and private communications.
Since 2023, Chinese group Salt Typhoon has exploited various CVEs using rented IPs to mask activity. They stole over 1,400 config files from over 70 U.S. government and critical infrastructure entities across 12 sectors, including Energy and Water. These files included credentials, network diagrams, and admin data, enabling deeper intrusions. DOD and CISA urge strict SMB and credential protection, encryption, and least privilege access to defend against future breaches.
At the end of June, the Canadian Centre for Cyber Security and the FBI warned that China-linked APT cyber espionage group Salt Typhoon, is targeting Canadian telecom firms in espionage attacks.
The Salt Typhoon hacking campaign, active for 1–2 years, has targeted telecommunications providers in several dozen countries, according to a U.S. official.
In February 2025, Recorded Future’s Insikt Group reported that China-linked APT group Salt Typhoon was still targeting telecommunications providers worldwide, and the threat actors had breached more U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices.
Insikt Group researchers reported that the Chinese hacked have exploited two Cisco flaws, tracked as CVE-2023-20198 and CVE-2023-20273.
Canada’s Cyber Centre reports that PRC-linked group Salt Typhoon likely hacked three telecom devices in February 2025, exploiting CVE-2023-20198 to steal configs and set up a GRE tunnel for data collection.
“The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.” reads the guidance published by the Canadian Centre for Cyber Security. “Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025. The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network.”
The Cyber Centre found that the China-nexus group is targeting more than telecoms, conducting network reconnaissance and possibly using compromised devices to reach more victims. This espionage activity is expected to continue over the next two years, with a focus on telecoms and their clients.
The government experts believe the nation-state actor is also targeting organizations that are in other sectors.
State-sponsored hackers, especially from China, are heavily targeting telecom providers for espionage. These networks hold valuable data like call logs, locations, and private communications. In 2024,
In early December 2024, President Biden’s deputy national security adviser Anne Neuberger said that China-linked APT group Salt Typhoon had breached telecommunications companies in dozens of countries.
The Wall Street Journal reported that the senior White House official revealed that at least eight U.S. telecommunications firms were compromised in the attack. The deputy national security adviser said China accessed extensive metadata from targeted Americans while seeking specific communications, focusing regionally on government and political figures.
China-linked APT Salt Typhoon has also reportedly targeted satellite firm Viasat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, US Army)
