A Chinese state-sponsored hacking group known as Salt Typhoon infiltrated a U.S. Army National Guard network and remained undetected for nine months in 2024, stealing sensitive data, including network diagrams, administrator credentials, and personal information of service members.
The breach, revealed in a Department of Homeland Security memo dated June 11 and first reported by NBC, raises concerns about the potential for wider compromise across government networks.
Salt Typhoon, believed to be linked to China’s Ministry of State Security, has a history of targeting major telecommunications providers like AT&T, Verizon, and Lumen. The group’s goal has often been to access sensitive communications, call records, and even law enforcement surveillance systems.
According to the DHS memo, the hackers accessed the National Guard network between March and December 2024. During this time, they collected detailed network configuration files and traffic data between that state’s Guard unit and counterparts across other U.S. states and territories. These configuration files, which include firewall rules, VPN credentials, and routing information, could be used to stage follow-on attacks.
The memo states that Salt Typhoon has previously used stolen configuration files to breach other U.S. government and critical infrastructure systems. Between January and March 2024, the group exfiltrated similar data from at least two state agencies, with at least one file later being used to exploit another federal system.
The DHS confirmed that Salt Typhoon has stolen 1,462 configuration files tied to about 70 U.S. government and critical infrastructure organizations across 12 sectors between 2023 and 2024.
While the specific method of entry in the National Guard breach remains undisclosed, Salt Typhoon is known to exploit unpatched vulnerabilities in networking devices. The DHS identified several flaws the group has used in past attacks, including:
CVE-2018-0171 – A critical Cisco Smart Install flaw allowing remote code execution
CVE-2023-20198 – A Cisco IOS XE zero-day for unauthenticated remote access
CVE-2023-20273 – A privilege escalation flaw used with CVE-2023-20198
CVE-2024-3400 – A Palo Alto PAN-OS vulnerability enabling command injection
The memo also listed several IP addresses linked to Salt Typhoon’s operations, urging security teams to monitor and block these addresses. The attackers are also known to deploy custom malware like JumblePath and GhostSpider to surveil telecom infrastructure and political targets.
The National Guard Bureau confirmed the breach but emphasized that no federal or state missions were disrupted. Meanwhile, China’s embassy in Washington declined to acknowledge the group’s ties to Beijing, calling the accusations unsubstantiated.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The DHS recommends that all government and military IT teams patch known vulnerabilities, disable unnecessary services, implement SMB signing, and enforce strict access controls to prevent similar breaches.
