Chinese ‘Salt Typhoon’ Hackers Hijacked US National Guard Network for Nearly a Year

Chinese state-sponsored hackers known as Salt Typhoon successfully infiltrated and maintained persistent access to a U.S. state’s Army National Guard network for nearly ten months, from March 2024 through December 2024, according to a Department of Homeland Security memo obtained by NBC News.

The sophisticated cyberespionage campaign represents a significant escalation in Beijing’s ongoing cyber operations against American military infrastructure, potentially compromising sensitive defense information and operational security protocols.

The breach, detailed in a Pentagon investigation documented in a June DHS memo, demonstrates Salt Typhoon’s notorious ability to establish long-term persistence within critical infrastructure networks.

The hackers successfully exfiltrated geographic location maps, internal network topology diagrams, and personal information of service members, creating a comprehensive intelligence profile that could facilitate future attacks against other National Guard units and state-level cybersecurity partners.

Salt Typhoon’s emergence as a premier Advanced Persistent Threat (APT) group has been marked by its systematic targeting of telecommunications infrastructure and government networks.

NBC News analysts noted that the group had previously compromised at least eight major U.S. internet and phone companies, including AT&T and Verizon, using these access points to monitor communications of the Harris and Trump presidential campaigns and Senate Majority Leader Chuck Schumer’s office.

The attack vector likely exploited the dual nature of National Guard units, which operate under both federal Department of Defense authority and state governance structures.

This organizational complexity creates expanded attack surfaces, as these units maintain deep integration with local governments and law enforcement agencies.

The DHS report specifically highlighted that National Guard units in 14 states collaborate with law enforcement “fusion centers” for intelligence sharing, potentially multiplying the breach’s impact across multiple jurisdictions.

Persistence and Lateral Movement Mechanisms

Salt Typhoon’s persistence tactics demonstrate sophisticated understanding of network architecture and security protocols.

The group’s ability to maintain undetected access for extended periods—with Cisco reporting instances of up to three years in some environments—suggests deployment of advanced rootkit technologies and living-off-the-land techniques that blend malicious activities with legitimate system processes, making detection exceptionally challenging for traditional security monitoring systems.