Chinese APT Salt Typhoon Compromises U.S. Army National Guard Network: A Comprehensive Analysis

TL;DR

The Chinese APT group Salt Typhoon compromised a U.S. Army National Guard network, stealing sensitive information and posing significant risks to U.S. cyber defenses. The breach highlights the ongoing threat of state-sponsored cyber espionage and the need for robust security measures.

Salt Typhoon Breach: Chinese APT Compromises U.S. Army National Guard Network

A recent report from the Department of Defense (DoD) reveals that the China-linked hacking group, Salt Typhoon, breached a U.S. state’s Army National Guard network between March and December 2024. This cyber intrusion allowed the advanced persistent threat (APT) group to steal critical network configurations, administrator credentials, and data exchanged with other units across the U.S. and several territories¹.

Impact and Implications

The compromised information could facilitate future attacks and weaken state-level defenses against Chinese cyber espionage during crises. The report warns that the stolen data might enable further hacks on other states’ Army National Guard units and their cybersecurity partners, potentially hampering their ability to defend U.S. critical infrastructure².

Tactics, Techniques, and Procedures (TTPs)

The report provides detailed insights into the TTPs employed by Salt Typhoon, along with guidance for detecting, preventing, and mitigating such threats. The APT group extensively compromised the network, collecting configuration data and traffic from counterpart networks in every U.S. state and at least four territories. This data included administrator credentials and network diagrams, which could be used to facilitate subsequent attacks³.

Previous Activities of Salt Typhoon

Salt Typhoon has a history of targeting high-value assets. Previously, the group was accused of hacking U.S. telecommunications giants such as AT&T, Verizon, and Lumen Technologies to compromise wiretap systems. More recently, the Canadian Centre for Cyber Security and the FBI issued warnings about Salt Typhoon targeting telecom providers in Canada, stealing call records and private communications⁴⁵.

Ongoing Threats and Mitigation Strategies

Since 2023, Salt Typhoon has exploited various Common Vulnerabilities and Exposures (CVEs) using rented IPs to mask their activities. The group has stolen over 1,400 configuration files from more than 70 U.S. government and critical infrastructure entities across 12 sectors, including Energy and Water. These files contained credentials, network diagrams, and administrative data, enabling deeper intrusions⁶.

Global Reach and Future Concerns

The Salt Typhoon hacking campaign has targeted telecommunications providers in several dozen countries. In February 2025, Recorded Future’s Insikt Group reported that the APT group continued to target telecommunications providers worldwide, exploiting unpatched Cisco IOS XE network devices. The group has been known to exploit specific Cisco flaws, such as CVE-2023-20198 and CVE-2023-20273⁷⁸.

Government and Expert Responses

Government experts believe that Salt Typhoon is also targeting organizations in other sectors. State-sponsored hackers, particularly from China, are heavily focused on telecom providers for espionage purposes. These networks hold valuable data, including call logs, locations, and private communications. In December 2024, President Biden’s deputy national security adviser, Anne Neuberger, confirmed that Salt Typhoon had breached telecommunications companies in dozens of countries⁹¹⁰.

Conclusion

The Salt Typhoon breach of the U.S. Army National Guard network underscores the persistent threat of state-sponsored cyber espionage. As these attacks continue to evolve, it is crucial for organizations to implement robust security measures, including strict SMB and credential protection, encryption, and least privilege access. The ongoing espionage activities highlight the need for vigilance and proactive cyber defense strategies to protect critical infrastructure and national security.

Additional Resources

For further insights, check:

• Security Affairs
• Canadian Centre for Cyber Security
• Recorded Future’s Insikt Group

References

1. “DoD report warns of Salt Typhoon breach” (2025). “China-linked APT Salt Typhoon targets Canadian telecom companies”. Security Affairs. ↩︎

2. “NBC News report on Salt Typhoon hack” (2025). “20250611-dhs-salt-typhoon”. Document Cloud. ↩︎

3. “Details on Salt Typhoon TTPs” (2025). “Salt Typhoon exploited Cisco IOS XE flaws”. Security Affairs. ↩︎

4. “Salt Typhoon targets U.S. telecom providers” (2025). “Cisa-fbi-confirm-china-hacked-telecoms-providers-for-spying”. Security Week. ↩︎

5. “Canadian telecom firms targeted by Salt Typhoon” (2025). “Chinas-salt-typhoon-hackers-target-canadian-telecom-firms”. Security Week. ↩︎

6. “Salt Typhoon exploits CVEs” (2025). “Salt Typhoon breached multiple U.S. entities”. Security Affairs. ↩︎

7. “Insikt Group report on Salt Typhoon” (2025). “Salt Typhoon exploited Cisco IOS XE flaws”. Security Affairs. ↩︎

8. “CVEs exploited by Salt Typhoon” (2025). “CVE-2023-20198 Cisco IOS XE devices”. Security Affairs. ↩︎

9. “Neuberger confirms Salt Typhoon breaches” (2025). “Salt Typhoon hacked U.S. broadband providers”. Security Affairs. ↩︎

10. “Wall Street Journal report on Salt Typhoon” (2025). “Dozens of countries hit in Chinese telecom hacking campaign”. Wall Street Journal. ↩︎