The Chinese state-backed hacking group Salt Typhoon launched a major cyberattack on the U.S. Army National Guard. They breached National Guard networks in multiple states and accessed admin credentials, network diagrams, and cybersecurity personnel data.
This incident serves as a stark reminder that nation-state cyber threats can have devastating impacts, especially when critical defense and infrastructure systems are involved.
Who Is Salt Typhoon?
Salt Typhoon is a nation-state threat actor with known ties to the Chinese government. U.S. intelligence agencies have tracked the group for years, and it has previously been suspected of hacking major American telecommunications providers such as AT&T, Verizon, and Lumen Technologies, gaining unauthorized access to wiretap systems.
More recently, both Canadian cybersecurity authorities and the FBI have warned that Salt Typhoon expanded its operations to include telecom providers in Canada, compromising private communications and call records.
What Was the Objective Behind the Attack?
According to a U.S. Department of Defense (DoD) report obtained by NBC News, Salt Typhoon infiltrated the Army National Guard network in one state between March and December 2024. During this period, the attackers exfiltrated:
- Network configuration files
- System architecture and diagrams
- Administrator credentials
- Communications data between Guard units in other U.S. states and at least four U.S. territories
"If PRC-associated cyber actors are able to breach state-level cybersecurity partners, it could hinder their ability to defend critical infrastructure during a national crisis," the DoD report warns.
In addition, during early 2024, the group also stole configuration data from other state government agencies and key infrastructure organizations. In total, over 1,462 configuration files were stolen from more than 70 entities across 12 critical sectors, including energy, telecommunications, transportation, and water systems.
Which Vulnerabilities Were Exploited?
Salt Typhoon exploited known vulnerabilities in edge network devices—particularly routers and firewalls—from Cisco and Palo Alto Networks. These included:
- CVE-2018-0171
- CVE-2023-20198
- CVE-2023-20273
- CVE-2024-3400
The use of these CVEs demonstrates the group’s capability to identify unpatched or improperly secured systems and exploit them with precision.
Why This Attack Matters
The cyberattack targeted not only technical systems but also stole personally identifiable information (PII) and work locations of cybersecurity personnel across several states. Such data can be used for further targeted attacks, social engineering, or intimidation in politically sensitive situations.
National Guard units in 14 states work with local threat intelligence centers, and some directly deliver cyber defense services. The breach of these networks puts not only the personnel but the nation’s broader cyber resilience at risk.
What Can Organizations Learn From This?
This incident underscores the importance of regularly updating systems and rigorously securing all devices connected to the network—especially edge devices such as firewalls and routers, which are often prime targets for hackers.
Today, cyber threats go beyond technical concerns—they now form a core part of national security challenges. Organizations at every level—government, private sector, and critical infrastructure—must elevate their vigilance and cybersecurity readiness accordingly.
_____________________________________________________________________________________________________________________________________________________________________
Source: SecurityWeek – China’s Salt Typhoon Hacked US National Guard