Salt Typhoon Breach: Chinese APT Compromises U.S. Army National Guard Network
A recent breach of a U.S. state's Army National Guard network by the China-linked APT group Salt Typhoon has raised serious concerns about the security of critical infrastructure in the United States. According to a report from the Department of Defense (DOD), Salt Typhoon extensively compromised the network of a single state's Army National Guard between March and December 2024, stealing sensitive information that could be used to facilitate future hacks.
The breach, which was first reported by NBC News, revealed that Salt Typhoon accessed configuration files, admin credentials, and data exchanged with units across all U.S. states and several territories. This information could potentially be used to weaken state-level defenses against Chinese cyberattacks during crises, posing a significant risk to critical infrastructure.
The Impact of the Breach
The DOD report warns that Salt Typhoon's breach of the state's Army National Guard network poses a major threat to U.S. cyber defenses. The group stole admin credentials, network diagrams, and Personal Identifiable Information (PII) of service members, which could impact cybersecurity staff in multiple states.
With Guard units integrated into fusion centers in 14 states, this access could expose critical infrastructure defenses and help guide future Chinese cyberattacks targeting state-level cyber personnel and operations. The report highlights the need for strict security measures to defend against future breaches, including Small and Medium-sized Business (SMB) protection, credential management, encryption, and least privilege access.
A History of Salt Typhoon's Activities
Salt Typhoon is a China-linked APT group that has been linked to several high-profile cyberattacks in the past. In 2023, they were accused of hacking U.S. telecommunications giants AT&T and Verizon, as well as Lumen Technologies and other service providers in the US and abroad, to compromise wiretap systems.
Last month, the Canadian Centre for Cyber Security and the FBI warned that Salt Typhoon had also targeted telecom providers in Canada, stealing call records and private communications. The group has exploited various vulnerabilities (CVEs) using rented IPs to mask their activity. They have stolen over 1,400 config files from over 70 U.S. government and critical infrastructure entities across 12 sectors, including Energy and Water.
Current Threat Landscape
The Salt Typhoon hacking campaign, which has been active for 1-2 years, has targeted telecommunications providers in several dozen countries. According to a U.S. official, the group has breached more U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices.
In February 2025, Recorded Future's Insikt Group reported that China-linked APT group Salt Typhoon was still targeting telecommunications providers worldwide. The threat actors had breached more U.S. telecommunications providers by exploiting two Cisco flaws, tracked as CVE-2023-20198 and CVE-2023-20273.
The Canadian Centre for Cyber Security has also warned about the activities of Salt Typhoon, stating that they likely hacked three telecom devices in February 2025, exploiting CVE-2023-20198 to steal configs and set up a GRE tunnel for data collection. The group is targeting not only telecoms but also conducting network reconnaissance and possibly using compromised devices to reach more victims.
Conclusion
The breach of the U.S. state's Army National Guard network by Salt Typhoon highlights the serious risks posed by China-linked APT groups to critical infrastructure in the United States. The government urges strict security measures to defend against future breaches, including SMB protection, credential management, encryption, and least privilege access.
As the threat landscape continues to evolve, it is essential for organizations and governments to stay vigilant and take proactive steps to protect themselves from cyber threats like Salt Typhoon.