Chinese state-sponsored hackers breached the network of a U.S. state’s Army National Guard unit, gaining access to configuration data and monitoring its communications with other units, according to a report from the Department of Defense (DoD).
The hacking group, identified as Salt Typhoon, has previously been linked to cyber intrusions targeting major U.S. telecommunications providers including AT&T, Verizon, and Lumen Technologies. The group has also compromised similar service providers abroad in efforts to infiltrate wiretap systems.
In recent warnings from the Canadian Centre for Cyber Security and the FBI, Salt Typhoon was also accused of targeting telecom providers in Canada, where they stole call records and private messages.
A June DoD report obtained by NBC News revealed that Salt Typhoon had infiltrated a U.S. state's Army National Guard network and extracted sensitive information that could help the group access other National Guard units and their state-level cybersecurity partners.
The report noted that if these cyber actors tied to the Chinese government had succeeded in expanding their access, they could have disrupted state-level cybersecurity operations critical to defending U.S. infrastructure in times of crisis or conflict.
Salt Typhoon maintained access to the compromised network from March to December 2024. During that time, the group exfiltrated configuration files and intercepted data exchanged between the Guard unit and its counterparts across every U.S. state and at least four U.S. territories.
This stolen information included administrator credentials and network diagrams, which could be used to support future attacks targeting other National Guard units.
Between January and March 2024, the hackers also extracted configuration files from other U.S. government bodies and critical infrastructure organizations, including at least two state agencies. According to the report, Salt Typhoon stole a total of 1,462 network configuration files from about 70 entities across 12 sectors, such as energy, transportation, communications, and water and wastewater systems.
To gain initial access, the attackers exploited known vulnerabilities in network edge devices made by Cisco and Palo Alto Networks. These included flaws listed as CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400.
The DoD report emphasized that the breach could hinder local efforts to protect critical infrastructure, especially since National Guard units in 14 states are linked with centers that provide threat intelligence. One state’s unit also offers cyber defense services.
Salt Typhoon’s access could have included details about each state’s cyber defense posture and personally identifiable information (PII), along with the work locations of cybersecurity personnel. This data may help inform the group’s future targeting strategies.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
