The Chinese APT group known as Salt Typhoon reportedly penetrated the network of a U.S. state’s Army National Guard for nearly nine months, from March 2024 to December 2024. This breach was highlighted in a June memo from the Department of Homeland Security (DHS), raising alarms about the security of critical military and infrastructure systems.
Concerns over this infiltration were anticipated, given the increasing prevalence of cyberattacks on U.S. government entities. As noted in discussions by cybersecurity experts, readily available infostealers priced as low as $10 have already breached sensitive military systems and even those of the FBI.
The DHS memo, which drew information from a Department of Defense (DOD) report and was later disclosed by an organization focused on national security transparency, revealed that Salt Typhoon significantly compromised the network in question. Although the specific state impacted was not identified, hackers were able to extract vital intelligence.
Deep Compromise and Data Theft
Throughout their prolonged access, Salt Typhoon accumulated sensitive information, including network configurations and details of data traffic within National Guard units across the United States and its territories. Alarmingly, the compromised data comprised administrator credentials and network diagrams, which could facilitate future attacks on other National Guard units.
Additionally, the extracted information included geographical location maps and personally identifiable information (PII) of service members. In approximately 14 states, National Guard units collaborate with fusion centers for intelligence sharing, suggesting that the implications of this breach may extend even further.
Salt Typhoon: A Persistent Threat
Salt Typhoon, also referred to as GhostEmperor and by other aliases, has a documented history of targeting U.S. governmental and critical infrastructure sectors such as energy, communications, and transportation. In November 2024, the group was linked to a notable breach of T-Mobile, exposing vulnerabilities within telecommunications systems. Thus far, they have reportedly compromised major U.S. internet and telecom companies, including AT&T and Verizon.
These breaches have allegedly been utilized to surveil the communications of high-profile political figures, including key presidential campaigns. A June 2025 advisory from the FBI and Canada’s Cyber Centre underscored Salt Typhoon’s global efforts against telecom networks, leveraging vulnerabilities such as CVE-2023-20198 to both steal data and maintain covert access.
Implications
The complex operational framework of National Guard units, which operate under both federal and state authority, may introduce additional avenues for cyberattacks. While the DOD has largely refrained from commenting on specifics, a spokesperson for the National Guard Bureau confirmed the breach but indicated that it had not disrupted ongoing missions.
“DHS is actively analyzing these types of incidents and is collaborating closely with the National Guard and various partners to bolster defenses and mitigate risks,” stated a DHS spokesperson.
While China’s embassy in Washington did not explicitly deny the campaign, they stressed that definitive evidence linking Salt Typhoon to the Chinese government remains elusive. Nevertheless, cybersecurity professionals advocate for strengthening network defenses through measures such as rigorous password policies and enhanced encryption protocols, especially in light of Salt Typhoon’s ongoing threats.
According to cybersecurity experts, the operational focus of Salt Typhoon has been gathering intelligence as opposed to disruption. Given that National Guards provide crucial support for civilian infrastructure security, any breach represents a substantial intelligence opportunity. The dynamic nature of cyber threats necessitates ongoing vigilance and robust resilience strategies to safeguard U.S. interests.
