{"id":14451,"date":"2025-07-16T12:06:19","date_gmt":"2025-07-16T12:06:19","guid":{"rendered":"https:\/\/newestek.com\/?p=14451"},"modified":"2025-07-16T12:06:19","modified_gmt":"2025-07-16T12:06:19","slug":"salt-typhoon-hacked-the-us-national-guard-for-9-months-and-accessed-networks-in-every-state","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14451","title":{"rendered":"Salt Typhoon hacked the US National Guard for 9 months, and accessed networks in every state"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Chinese-backed APT group Salt Typhoon extensively compromised a US state\u2019s Army National Guard network for nine months, stealing sensitive military data and gaining access to networks in every other US state and at least four territories, according to a Department of Homeland Security memo that warned the breach could facilitate attacks on critical infrastructure nationwide.<\/p>\n

The DHS memo<\/a>, dated June 11, said that between March and December 2024, Salt Typhoon \u201cextensively compromised a US state\u2019s Army National Guard\u2019s network and, among other things, collected its network configuration and its data traffic with its counterparts\u2019 networks in every other US state and at least four US territories.\u201d<\/p>\n

The document was obtained by the national security transparency nonprofit Property of the People and first reported by NBC News<\/a>. Previously, Salt Typhoon has been linked to several extensive espionage campaigns against US critical infrastructure<\/a>, including breaches of major telecommunications companies such as AT&T, Verizon, and Lumen Technologies.<\/p>\n

\u201cThe National Guard is aware of recent Department of Defense and Department of Homeland Security reporting regarding the Peoples Republic of China-affiliated hacking group, Salt Typhoon, and their targeting of Army National Guard networks between March and December 2024,\u201d a National Guard\u2019s spokesperson said. \u201cWhile we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope. We are taking this matter extremely seriously. Security protocols are in place to mitigate further risk and contain any potential data compromises, and the response is ongoing. We are coordinating closely with DHS and other federal partners.\u201d<\/p>\n

Part of a broader campaign against critical infrastructure<\/strong><\/h2>\n

The National Guard breach represents part of a much larger Salt Typhoon campaign targeting the US government and critical infrastructure entities. According to the memo, \u201cIn 2023 and 2024, Salt Typhoon also stole 1,462 network configuration files associated with approximately 70 US government and critical infrastructure entities from 12 sectors, including Energy, Communications, Transportation, and Water and Wastewater.\u201d<\/p>\n

These configuration files pose a significant threat because they \u201ccould enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks,\u201d the document explained.<\/p>\n

The breach poses particular risks to US cybersecurity defenses due to the National Guard\u2019s dual federal-state role and extensive connections to local government systems. The memo warned that \u201cSalt Typhoon\u2019s success in compromising states\u2019 Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure.\u201d<\/p>\n

This concern is heightened by the fact that \u201cin some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information \u2014 including cyber threats,\u201d the memo noted. In at least one state, \u201cthe local Army National Guard unit directly provides network defense services,\u201d making the breach particularly concerning for critical infrastructure protection.<\/p>\n

Sensitive military data stolen<\/strong><\/h2>\n

The attackers gained access to highly sensitive military and infrastructure information during the nine-month intrusion. The memo stated that \u201cin 2024, Salt Typhoon used its access to a US state\u2019s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.\u201d<\/p>\n

Beyond the immediate data theft, the memo warned that Salt Typhoon\u2019s access to these networks \u201ccould include information on state cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel\u2014data that could be used to inform future cyber-targeting efforts.\u201d<\/p>\n

The compromise \u201clikely provided Beijing with data that could facilitate the hacking of other states\u2019 Army National Guard units, and possibly many of their state-level cybersecurity partners,\u201d the memo noted.<\/p>\n

Established pattern of exploitation<\/strong><\/h2>\n

Salt Typhoon has demonstrated a consistent methodology of using stolen network data to enable follow-on attacks. The memo noted that \u201cSalt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere.\u201d<\/p>\n

Specifically, \u201cBetween January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US government and critical infrastructure entities, including at least two US state government agencies. At least one of these files later informed their compromise of a vulnerable device on another US government agency\u2019s network.\u201d<\/p>\n

The memo explained that access to configuration files \u201ccan provide a threat actor with sensitive information like credentials, network topology details, and security settings they need to gain and maintain access, as well as to exfiltrate data.\u201d<\/p>\n

The document warned of serious consequences if Salt Typhoon succeeded in compromising state-level cybersecurity partners, stating it \u201ccould hamstring state-level cybersecurity partners\u2019 ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.\u201d<\/p>\n

This threat is particularly concerning given the interconnected nature of state and federal cybersecurity operations, where a breach in one system can potentially cascade across multiple networks and jurisdictions.<\/p>\n

Technical methods and vulnerabilities<\/strong><\/h2>\n

The memo provided technical details about Salt Typhoon\u2019s attack methods, noting that since 2023, the group \u201chas exploited a number of different common vulnerabilities and exposures (CVEs) using a range of leased internet protocol (IP) addresses to mask its activity.\u201d<\/p>\n

The document included specific CVEs exploited by the group, including CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400, along with associated malicious IP addresses.<\/p>\n

For defense against such attacks, the memo recommended that \u201cnetwork defenders should follow best practices to harden their network devices against cyber exploitation and to maintain proper auditing and logging of network activity.\u201d<\/p>\n

The memo\u2019s release comes as the Trump administration disbanded the Cyber Safety Review Board<\/a>, which had been investigating Salt Typhoon\u2019s attacks on American telecommunications companies, potentially limiting ongoing oversight of the threat. The document warned that Salt Typhoon\u2019s success in compromising National Guard networks could have far-reaching consequences for the US\u2019s ability to defend critical infrastructure during a crisis or conflict with China.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Chinese-backed APT group Salt Typhoon extensively compromised a US state\u2019s Army National Guard network for nine months, stealing sensitive military data and gaining access to networks in every other US state and at least four territories, according to a Department of Homeland Security memo that warned the breach could facilitate attacks on critical infrastructure nationwide. The DHS memo, dated June 11, said that between March… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14451","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14451"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14451\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}