A confidential memo from the Department of Homeland Security (DHS) reveals that a U.S. state’s Army National Guardโs computer network was infiltrated by a Chinese state-linked hacking group, known as โSalt Typhoonโ.
The memo, first reported by NBC,ย was obtained through a Freedom of Information Act (FOIA) request filed by the national security transparency non-profit, Property of the People.
It further says that the hackers โextensively compromised a U.S. stateโs Army National Guard networkโ for nine months, from March to December 2024, and remain undetected. This breach marks one of the largest cyber-espionage campaigns against American military infrastructure in recent times.
What Is Salt Typhoon
Salt Typhoon is an advanced persistent threat (ATP) actor believed to be operated by China’s Ministry of State Security (MSS) intelligence agency. It is known for conducting high-profile cyber espionage campaigns, particularly against the United States. The hacking group focuses on gathering intelligence and gaining persistent access to networks across sectors, like defense, energy, and communications.
What Was Exposed In The Breach
Between March and December 2024, the hacking group exfiltrated internal maps and network traffic diagrams, describing communication flows between National Guard units across all 50 states and four U.S. territories.
It also stole administrator credentials and 1,462 network configuration files with access to 70 U.S. government and critical infrastructure entities spanning 12 sectorsโincluding energy, communications, transportation, water, and wastewater sectors, which could be used to breach National Guard and government networks in other states.
Additionally, personal identifying information (PII) of service members and locations of state cybersecurity personnel in multiple states were also impacted.
“Between March and December 2024, Salt Typhoon extensively compromised a US state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report,” reads the memo.
“This data also included these networks’ administrator credentials and network diagramsโwhich could be used to facilitate follow-on Salt Typhoon hacks of these units.”
According to the memo, Salt Typhoon has a history of using stolen network topologies and configuration data to breach U.S. government agencies and critical infrastructure systems.
“Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere. Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including at least two U.S. state government agencies. At least one of these files later informed their compromise of a vulnerable device on another U.S. government agency’s network,” the memo added.
Why It Matters
Salt Typhoon isnโt newโit has previously breached major U.S. telecommunications companies, including AT&T, Verizon, and T-Mobile, predominantly through a Cisco vulnerability, as well as satellite systems like Viasat and other service providers both in the U.S. and internationally.
Government Reaction & Response
The National Guard Bureau confirmed the breach but insists missions were not disrupted. An investigation is underway to assess the full extent of the intrusion.
โWhile we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,โย a National Guard Bureau spokesperson said.
Further, the CISA, DHS, and the Pentagon are coordinating efforts to contain the breach and are considering enhanced security measures, including stronger firewalls, improved encryption, tighter access controls, and broader implementation of Zero Trust architecture.
Meanwhile, a spokesperson for Chinaโs embassy in Washington did not deny the hacking campaign, but argued that the U.S. has not produced concrete proof connecting China to the Salt Typhoon cyberattacks.
โCyberattacks are a common threat faced by all countries, China included,โ the spokesperson said, adding that the U.S. โhas been unable to produce conclusive and reliable evidence that the โSalt Typhoonโ is linked to the Chinese government.โ
