Salt Typhoon Breach: Chinese APT Compromises U.S. Army National Guard Network
July 16, 2025 
China-linked APT Salt Typhoon Breaches U.S. Army National Guard Network
A recent Department of Defense (DoD) report reveals that the China-associated hacking group known as Salt Typhoon has successfully infiltrated a U.S. Army National Guard network from March to December 2024. The breach has led to the theft of critical network configurations, administrative credentials, and sensitive data exchanged among various units across the United States and its territories. The implications of this breach are substantial, posing significant risks to U.S. critical infrastructure and potentially facilitating future cyber assaults.
The report highlights that the compromise likely provided the People’s Republic of China (PRC) with invaluable intelligence that could be used to compromise additional state-level Army National Guard networks and their cybersecurity partnerships. This unauthorized access may severely hinder state-level cybersecurity capabilities, particularly during crises or conflicts, as noted in an NBC News report that referenced the DoD’s findings.
Salt Typhoon’s operational tactics, techniques, and procedures (TTPs) have been documented in detail, and the report underscores the importance of state and National Guard agencies implementing recommended security measures to detect and mitigate this emerging threat. Specifically, the hackers collected extensive information regarding network configuration and data traffic among various state networks, capturing not only administrator credentials but also network diagrams. These assets could facilitate further targeted attacks against military and governmental networks.
The breach is characterized as a major threat to U.S. cyber defenses, with Salt Typhoon’s actions undermining cybersecurity protocols for service members across multiple states. The information stolen could greatly compromise integrated defense operations, exposing critical infrastructure systems to heightened risks and enabling future cyber intrusions aimed at state-level cybersecurity personnel.
Historically, the Salt Typhoon group has been implicated in attacks against U.S. telecommunications providers, including prominent companies such as AT&T and Verizon. These attacks have extended beyond national borders into Canada, where recent alerts detailed threats against Canadian telecom firms. Analysts have noted that Salt Typhoon could exploit multiple vulnerabilities while employing deceptive tactics, such as utilizing rented IPs to mask its cyber activities.
Following the breach, cybersecurity experts have emphasized the necessity for stringent protective measures, including SMB and credential protection strategies, encryption protocols, and implementing least privilege access to safeguard against potential future breaches. The risks associated with such state-sponsored hacking campaigns sustain a continuous threat landscape, making it imperative for organizations to remain vigilant.
As the landscape of cyber espionage continues to evolve, Salt Typhoon’s operations highlight the critical importance of maintaining robust cybersecurity defenses at both governmental and organizational levels. The MITRE ATT&CK framework indicates that tactics possibly employed during this breach included initial access exploits, persistence measures to maintain network footholds, and potential privilege escalation techniques to extend the attackers’ control over the compromised systems.
Ongoing cyber activities attributed to this state-sponsored group suggest a persistent focus on telecommunications and critical infrastructure, raising alarms among security professionals and necessitating comprehensive strategies to thwart future threats. In response to these emerging risks, governmental bodies and private enterprises are urged to bolster their cybersecurity frameworks in anticipation of continued and evolving cyber threats from state-sponsored actors like Salt Typhoon.
For ongoing updates and insights into cybersecurity incidents, follow us on Twitter: @securityaffairs, on Facebook, and on Mastodon.
(SecurityAffairs – Hacking, U.S. Army)
