Chinese Hackers Breached National Guard Network, Stole Sensitive Information
A recent breach of a U.S. Army National Guard network has been attributed to Chinese state-sponsored hackers known as Salt Typhoon. The group, believed to be affiliated with China's Ministry of State Security (MSS) intelligence agency, remained undetected in the network for nine months, stealing valuable information that could compromise other government networks.
The breach, which occurred between March and December 2024, saw Salt Typhoon steal network configuration files, administrator credentials, and personal information of service members. This sensitive data could be used to breach National Guard and government networks in other states, posing a significant threat to national security.
Salt Typhoon's Notorious History
Salt Typhoon has gained notoriety over the past two years for its wave of attacks on telecommunications and broadband providers worldwide. The group has targeted prominent companies such as AT&T, Verizon, Lumen, Charter, Windstream, and Viasat, stealing sensitive call logs, private communications, and law-enforcement wiretap systems used by the U.S. government.
In previous attacks, Salt Typhoon exploited unpatched Cisco routers in telecom environments to gain access to infrastructure. The attackers used this access to spy on communications of U.S. political campaigns and lawmakers, deploying custom malware such as JumblePath and GhostSpider to surveil telecom networks.
Consequences of the Breach
The breach of the National Guard network has significant implications for national security. The stolen data could be used to facilitate follow-on attacks on other government networks, compromising sensitive information and putting at risk the security of critical infrastructure.
The Department of Homeland Security (DHS) memo warns that Salt Typhoon has previously utilized stolen network topologies and configuration files to compromise critical infrastructure and U.S. government agencies. The group's tactics suggest a high level of sophistication and resources, making them a significant threat to national security.
Response and Recommendations
The DHS memo urges National Guard and government cybersecurity teams to take immediate action to patch vulnerabilities and prevent further breaches. This includes ensuring that old vulnerabilities in networking devices such as Cisco routers are addressed, segmenting SMB traffic, implementing SMB signing, and enforcing access controls.
The incident highlights the need for robust cybersecurity measures to protect against state-sponsored hacking groups like Salt Typhoon. National Guard and government agencies must prioritize cybersecurity awareness and training, as well as invest in cutting-edge technologies to detect and prevent future breaches.
Reactions from Governments and Companies
China's embassy in Washington did not deny the attack but stated that the U.S. had not provided "conclusive and reliable evidence" that Salt Typhoon is linked to the Chinese government. The National Guard Bureau confirmed the breach, stating that it had not disrupted federal or state missions.
Telcom giant Viasat was breached by China's Salt Typhoon hackers via a Cisco flaw. Canada blamed China for a Ministry of Foreign Affairs cyberattack, while Louis Vuitton reported regional data breaches tied to the same cyberattack.