Chinese ‘Salt Typhoon’ Hackers Infiltrated US National Guard Network for Almost a Year

The Department of Defense (DoD) revealed that an advanced persistent threat (APT) group, known as Salt Typhoon and publicly identified as Chinese state-sponsored actors, had successfully penetrated a U.S. state’s Army National Guard network in a major increase in cyberthreats.

This compromise spanned from March 2024 to December 2024, enabling potential exfiltration of sensitive military and law enforcement data.

The intrusion leveraged sophisticated techniques for lateral movement across interconnected systems, highlighting vulnerabilities in hybrid federal-state infrastructures.

Authorities are conducting ongoing forensic analysis to assess the full scope of data reconnaissance and possible command-and-control (C2) persistence mechanisms employed by the attackers.

Department of Defense Uncovers Prolonged Intrusion

According to a June memo from the Department of Homeland Security (DHS), which detailed the Pentagon’s findings, Salt Typhoon executed an extensive compromise, exploiting network misconfigurations and possibly zero-day vulnerabilities to maintain unauthorised access.

The memo, obtained via a Freedom of Information Act (FOIA) request by the nonprofit Property of the People and shared with NBC News, did not identify the affected state but emphasized the hackers’ ability to map internal topologies, harvest personally identifiable information (PII) of service members, and diagram network architectures.

This reconnaissance data could facilitate subsequent spear-phishing campaigns or supply-chain attacks against other state-level entities, including those integrated with law enforcement fusion centers in at least 14 states.

The DoD declined to comment, while a National Guard Bureau spokesperson acknowledged the breach, stating it did not disrupt missions but that investigations continue to evaluate rootkit persistence and potential backdoor implants.

Salt Typhoon, notorious for its modular malware frameworks and evasion tactics, has a history of chaining exploits across critical infrastructure sectors.

In prior incidents, the group compromised major telecommunications providers like AT&T and Verizon, enabling wiretap-level surveillance on high-profile targets, including communications from the Harris and Trump presidential campaigns and Senate Majority Leader Chuck Schumer’s office.

This latest breach underscores the APT’s proficiency in pivoting from initial footholds such as vulnerable edge devices or unpatched software to deeper network segments, potentially using credential dumping and privilege escalation to access classified repositories.

Given the National Guard’s dual-role architecture, interfacing with state governments and local agencies, the intrusion may have provided vectors for cascading compromises, amplifying Beijing’s intelligence-gathering capabilities across federated systems.

Broader Implications for National Security

Chinese officials, via their Washington embassy spokesperson, refuted direct involvement, asserting a lack of conclusive evidence linking Salt Typhoon to the Ministry of State Security (MSS).

They framed cyberattacks as a universal challenge, echoing denials amid mounting attributions.

In response, the U.S. Treasury Department imposed sanctions in January on a Sichuan-based firm allegedly supporting MSS operations, citing its role in developing custom exploits and C2 infrastructure for Salt Typhoon campaigns.

Eradication efforts remain challenging; Cisco’s Talos Intelligence reported instances of the group maintaining dwell times exceeding three years through obfuscated payloads and living-off-the-land (LotL) techniques, complicating detection by endpoint detection and response (EDR) tools.

According to the Report, Telecom giants like AT&T and Verizon have claimed containment, but full expulsion is elusive, as residual artifacts could enable re-entry via dormant beacons.

This incident amplifies concerns over nation-state cyber operations targeting hybrid defense networks, where state-level integrations create exploitable seams.

Cybersecurity experts warn that without enhanced zero-trust architectures, multi-factor authentication hardening, and real-time threat hunting, similar APT incursions could proliferate, potentially yielding strategic advantages in geopolitical tensions.

As investigations proceed, the breach serves as a stark reminder of the evolving threat landscape, where persistent adversaries like Salt Typhoon exploit interconnected ecosystems for long-term intelligence dominance.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.